LinkedIn OAuth Credentials

LinkedIn OAuth credentials are used to authenticate applications and services to access LinkedIn's API on behalf of users. These credentials typically include a client ID and client secret, which are used to obtain access tokens for API requests. Exposure of these credentials can lead to unauthorized access to LinkedIn user data and actions on behalf of users, posing significant security risks.

---

How Does It Look

OAuth credentials can appear in various contexts, such as:

• Environment variables

  export LINKEDIN_CLIENT_ID="abc123"
  export LINKEDIN_CLIENT_SECRET="xyz789"

• Configuration files (JSON)

  {
    "linkedin": {
      "clientId": "abc123",
      "clientSecret": "xyz789"
    }
  }

• Code snippets

  const linkedinConfig = {
    clientId: 'abc123',
    clientSecret: 'xyz789'
  };

• Connection strings

  linkedin://client_id:abc123@client_secret:xyz789

---

Severity

• 🔴 Critical

The severity is critical because LinkedIn OAuth credentials provide access to user data and the ability to perform actions on behalf of users. The blast radius includes unauthorized data access, potential data manipulation, and misuse of user accounts, which can lead to significant privacy and security breaches.

---

What Can an Attacker Do?

With immediate access to LinkedIn OAuth credentials, an attacker can impersonate users and access their LinkedIn data.

Key actions an attacker can perform:

• Access user profiles: Retrieve personal information (if the credential has read permissions)
• Post updates: Publish content on behalf of users (if write access is enabled)
• Access connections: View and potentially manipulate user connections (depending on permission scope)
• Extract analytics: Gather insights from user interactions (if analytics permissions are granted)

An attacker could potentially escalate their access by leveraging the compromised credentials to gain further insights into the user's network, leading to lateral movement across other connected services.

---

Real-World Impact

Exposure of LinkedIn OAuth credentials poses significant business risks, including unauthorized access to sensitive user data.

Potential consequences include:

• Data Exposure: User profiles, connections, and activity data (if the credential has read access to sensitive data)
• Financial Loss: Costs associated with unauthorized actions or data breaches (if billing/resource creation is permitted)
• Operational Disruption: Unauthorized posts or data manipulation (if the attacker has write permissions)
• Reputational Damage: Loss of user trust and brand credibility

In the worst-case scenario, the exposure could lead to widespread data breaches affecting multiple users, resulting in severe reputational and financial damage.

---

Prerequisites for Exploitation

• Network access requirements: Internet access to reach LinkedIn's API endpoints
• Additional context needed: Knowledge of LinkedIn API endpoints and user account details
• Any rate limits or restrictions they'd face: LinkedIn API rate limits may restrict the volume of requests

---

How to Verify If It's Active

To verify if the LinkedIn OAuth credential is active, use the following command:

curl -X GET "https://api.linkedin.com/v2/me" -H "Authorization: Bearer [ACCESS_TOKEN]"

Valid credential response: A successful response will return user profile data in JSON format.

Invalid/expired credential response: An error message indicating invalid credentials or token expiration.

---

Detection Patterns

Common Variable Names:

• LINKEDIN_CLIENT_ID
• LINKEDIN_CLIENT_SECRET
• LINKEDIN_OAUTH_TOKEN
• LINKEDIN_ACCESS_TOKEN
• LINKEDIN_API_KEY
• LINKEDIN_SECRET

File Locations:

• .env
• config.json
• settings.yaml
• linkedin_config.js

Regex Pattern:

linkedin.*(client_id|client_secret|access_token|api_key)\s*[:=]\s*['"]?[a-zA-Z0-9-_]{16,}['"]?

---

Remediation Steps

1. Revoke immediately - Go to LinkedIn Developer Portal > My Apps > [Your App] > Auth and delete the compromised credentials.
2. Audit access logs - Review LinkedIn API logs for unauthorized requests or data access during the exposure window.
3. Assess blast radius - Identify all systems, applications, and environments that used the exposed credential.
4. Rotate credential - Generate new OAuth credentials in the LinkedIn Developer Portal with least-privilege permissions.
5. Update dependent systems - Deploy the new credential to all applications and update CI/CD pipelines securely.
6. Harden access controls - Enable IP allowlisting in LinkedIn Developer Portal and require OAuth scopes to be explicitly defined.
7. Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
8. Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

---

References

• LinkedIn Developer Documentation
• LinkedIn OAuth 2.0 Guide