Jack Cyber-security graduate student interested in researching privacy and security issues.

LinkHub - Automated Github Pwn of LinkedIn Organizations

LinkHub - Automated Github Pwn of LinkedIn Organizations

Code

This program is free and open-source software (FOSS) all code can be found here: https://github.com/ACK-J/LinkHub

Description

LinkedIn is a great networking site that shows off all the employees currently working at an organization. Github is a place for people to post code about their open source projects publically. I’ve noticed that people mix personal and professional accounts on accident, a lot of the time. This leads to a security vulnerability that cannot be managed directly by their employer. My idea was to create a single program that can quickly grab every LinkedIn employee for a single organization. Cycle through each of the employees and see if they use the same username on Github. If they do, pull down any repositories that include the name of the organization somewhere in it. Lastly, use tools such as trufflehog and shhgit to find security issues deep in the Github commit history.

The Problem

Most of the time, LinkedIn will let you see over 1,000 employee accounts before it cuts you off. There are cases where you will not be able to see the employee’s LinkedIn account, this is because you are most likely not within 3+ connections. You can fix this by connecting with a few people at a single company. A good privacy option that would stop this technique is allowing users to share their profiles with their immediate connections and make anyone else have to request access. What makes this technique possible is the over-abundance of specific user data LinkedIn is willing to share with anyone.

Bug Bounty

This is a great tool to aid in finding bug bounties. You can let it run in the background while you do other things, and hopefully, once it finishes, you will be left with leaked private keys or AWS tokens that you can turn into $$$.

Along with security issues within the github repo, LinkHub will show you the email addresses used for each account. A lot of the time these will be personal email addresses which is great to use to find old unsecure passwords in databreaches.

Cool Tricks

If you want to find the email address of a GitHub user you can use the following command and substitute the API key and the username.

GH_EMAIL_TOKEN=01234567890123456789 ./gitemail.sh ACK-J

Installation

1
2
3
4
5
6
7
8
9
10
11
git clone https://github.com/ACK-J/LinkHub.git

cd LinkHub && pip3 install -r requirements.txt && chmod +x gitemail.sh && cd ..

sudo apt install jq git

git clone https://github.com/dxa4481/truffleHog.git

go get github.com/eth0izzle/shhgit

Now add your Github API key to config.yaml

Tutorial

This tutorial may seem long due to all the big pictures but once you do the process the first time, you can complete the whole thing in under a minute.

First, log into https://www.linkedin.com and go to a companies page. I will use Google as an example for this tutorial.

At the bottom of the header, you will see different tabs. You want to click on People.

From here you can filter by the type of employee you are looking to find vulnerabilities in. I search for something to the effect of engineer since this will include software engineers, security engineers, and other similar development-based jobs.

For the next part, you need to have a mouse, you can do it without one but it makes the process a lot easier.

Clicking the center button on a mouse activates “auto-scrolling” where you can move your cursor on the screen and the page will scroll in that direction. This comes in handy since we are going to need to scroll down for a while to see as many employees as possible.

You should see the symbol shown above. Now just move your cursor to the bottom of the screen and it will scroll in that direction until there are no more employees. This most of the time will not return you every single employee that you filtered for, since LinkedIn will eventually limit you but you will be able to capture a few thousand employees in most cases.

Once you have reached the bottom (On Firefox)

  • Right-click on the page
  • Select inspect element
  • Scroll to the top of the “Inspector” tab

  • Right-click on the <html> tag shown above
  • Go to Copy -> Outer HTML
  • Paste the contents into a text file and save it as something like google.html

Configuring linkhub.py

Now that you have your HTML file ready to go you’re going to need to configure only a few global variables within the linkhub.py file. Don’t worry this will be super quick and easy.

When you open the file it should look similar to this.

The GitHub username and API-token (password) are needed to hit the GitHub API. If you don’t already have a Github API token you can generate one by going to https://github.com/settings/tokens and clicking "Personal Access Token" -> "Generate New Token".

  • You do not need to give the token any permissions!

Next, give the full paths to the trufflehog.py script and the sshgit binary.

If you don’t know where these files are use these two commands

1
2
locate trufflehog.py
locate sshgit

Put the HTML file we saved before within the LinkHub folder and provide the file name to the global variable FILE_NAME.

Lastly, give two search terms that should be used to look for within each GitHub repo which may indicate it is used at the company.

  • Normally I put the name of the company and a subsidiary of the company.

Run the program!

python3 linkhub.py

Output

All output will be saved to files within the LinkHub directory so it can be reviewed later.

This program was developed on Ubuntu and using Firefox.