Exposure of confidential secret or token LinkedIn client secret
Description
The response body contains content that matches the pattern of a LinkedIn client secret was identified. Client secrets are used when allowing users to sign in to your application. Depending on the scopes requested, a malicious actor could impersonate the service to access users’ information. Exposing this value could allow attackers to gain access to all resources granted by this token.
Remediation
For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.
To regenerate your client secret:
- Sign in to your LinkedIn account and visit https://www.linkedin.com/developers/apps/
- Find the application that contains the identified secret and select its name
- Select the “Auth” tab
- Select “Generate a new Client Secret” in the “Application credentials” section
- If “Generate a new Client Secret” does not exist, you most likely have two active secrets, delete one, and it should appear
- Select the “X” next to the secret that was identified to remove it
- When prompted, select “Confirm” in the “Remove the Primary Client Secret” dialog
For more information, please see LinkedIn’s documentation on API access.
Details
| ID | Aggregated | CWE | Type | Risk |
|---|---|---|---|---|
| 798.69 | false | 798 | Passive | High |