Friday 27 January 2023, Poradnik bezpieczeństwa

A vulnerability that allowed you to download any CV from Linkedin

Lost24

Some time ago, the sekurak.pl portal shared information about a very harmful but simple vulnerability on Linkedin.


Namely, it was possible to download each user's CV without logging in, without authorization or any unnecessary steps. It was enough to enter a specific address, e.g. "linkedin.com/api/v4/download_resume?id=827387" and successively enter random numbers to display more CVs of users.


The vulnerability was patched and a bounty of $5,000 was paid for finding it.


Source: sekurak.pl