A remotely exploitable vulnerability that was found to affect 600 million WhatsApp users in 2014 and even more off and on since then by causing remotely initiated system crashes has now resurfaced in a new form. The LinkedIn mobile application versions 9.11 and older for iOS have been found to contain a CPU resource exhaustion vulnerability that can be triggered by user-supplied input.
The vulnerability arises from the fact that the mobile application’s filter of user-supplied input is unable to detect malicious or troublesome input. When a user sends such a message to another user on the LinkedIn application, upon viewing the message, the script is read and the code viewed prompts a CPU overhaul which causes an exhaustion crash.
The vulnerability is found to impact iPhone’s operating system version 11.4.1, primarily targeting the iPhone 7 mobile devices. When the malicious code is read on this system, it causes a 48 second CPU time over 62 seconds which incurs a 93% CPU average. This CPU average is far above the 80% CPU usage cut off over 60 seconds which causes system exhaustion and the consequent crash.
As seen with WhatsApp, once the code is removed from the most recent message line, the CPU crash ceases. This appears to be the case in LinkedIn’s mobile application as well. In order to stop the system from crashing every time you try to relaunch the application, you must ask the user who sent you the faulty code to send you another plain message so that the crash stops. This isn’t the easiest mitigation technique when you receive messages from attackers who are deliberately looking to exploit this vulnerability to cause you trouble.
The following script created by Juan Sacco generates the CPU exhaustion causing code.
This vulnerability has just emerged and LinkedIn has taken notice. An update, patch, or mitigation detailing advisory has not been released by the firm yet.