Lucky escape. Worm could have exploited LinkedIn XSS vulnerability
Within three hours of being reported, a serious cross-site scripting (XSS) vulnerability on LinkedIn’s website has been fixed by its security team.
The vulnerability, discovered by security researcher Rohit Dua and subsequently detailed on the Full Disclosure mailing list, was present in LinkedIn’s help center discussion forum where a lack of proper filtering meant that an attacker could entered characters into a question form to trick the website into executing a script.
Worse of all, the malicious input would be saved on the discussion forum as a question, meaning that other users seeking help could be impacted if their browser attempted to render pages containing the code.
“Once the question gets posted, it, along with the script execution, can be immediately viewed in Help Forum > Your Discussions or in the questions public list, or the questions page of your tag,” explained the researcher.
Dua created a YouTube video which demonstrates the flaw in action:
Obviously having a flaw like this on a popular website is far from ideal. In fact, I would consider this a lucky escape for LinkedIn as it’s clear that if the flaw had been discovered by a malicious party rather than a responsible researcher that it could have been exploited in a way that would have affected LinkedIn users seeking help and damaged the company’s brand.
However, impressively, LinkedIn’s security team responded within 15 minutes to Dua’s notification and was able to implement a fix for the vulnerability within three hours.
Here is the disclosure timeline shared by Rohit Dua:
Nov 16, 2015: Vulnerability acquired by Rohit Dua.
Nov 16, 2015 11:15 PM: Responsible disclosure to Linkedin Security Team.
Nov 16, 2015 11:28 PM: Initial vendor notification sent
Nov 17, 2015 02:12 AM: Vendor implemented a fix*
Nov 18, 2015: Disclosure
It seems to me that LinkedIn certainly should be applauded for such a fast turnaround.
Dua says that he received no financial reward for reporting the bug because LinkedIn runs a private bug bounty program. Instead, he received an appreciative email from LinkedIn’s security team and an invitation to join the private bug bounty program, meaning he might be in the run for receiving compensation for helping LinkedIn rid itself of vulnerabilities in future.
A LinkedIn spokesperson told ThreatPost that they were grateful for Dua’s efforts:
“This responsibly disclosed issue was in our help center portal, not on the main site, and no member data was at risk. The researcher was great to work with which helped us fix the issue in a very timely manner. There has been no exploitation or abuse of this issue on our help portal. We would like to thank the researcher for his great write-up and helping protect our members.”
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps
November 29, 2022
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022
Cyber Tips for a Spook-Free Halloween
October 26, 2022
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022