How I am able to Impersonate your LinkedIn profile

Hello Guys!! Here is the real time scenario to use Homography.

As I am personalizing my profile URL, I thought to do same with my friend’s one. I tried normally but LinkedIn do not accept as it’s already used.

Finally, it accepted my profile URL https://www.linkedin.com/in/mrreboοt/ as visible as my friend’s https://www.linkedin.com/in/mrreboot/ . Great, now it may be used for any social engineering activities which may lead to loss in reputation etc.,

Spoofed profile:

Actual Profile:

The actual URL is https://www.linkedin.com/in/mrrebo%CE%BFt/ where I used Homograph character ‘о’ which seems like ‘o’ whose actual punycode is “%CE%BF” from https://www.irongeek.com/homoglyph-attack-generator.php

Same scenario can be used as per the requirement in case of getting fake IDNs, Profile Names etc., for best social engineering and phishing attacks.

Here one more thing found is, LinkedIn does not accept special characters in the URL personalizing, by using this even we can bypass server side validation and can use %CE%BF etc.,

Sad thing, I reported same and LinkedIn considered  this as informative finding. As it’s more than 90days from reporting and LinkedIn did not find considerable risk so I am disclosing here.

Let me know if you have any more exploitation scenarios, that may increase the risk.

GitR Secure

Lazy Bug Hunter, still okay with few HoF from Yahoo, Intel, Lenovo, US-DoD, Dell etc. Running to make my self active to Learn and Share more.

More Posts - Website

Follow Me:
LinkedIn

Leave A Comment

Your email address will not be published. Required fields are marked *