2 min read

Lucky escape. Worm could have exploited LinkedIn XSS vulnerability

Graham CLULEY

November 23, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Lucky escape. Worm could have exploited LinkedIn XSS vulnerability

Within three hours of being reported, a serious cross-site scripting (XSS) vulnerability on LinkedIn’s website has been fixed by its security team.

The vulnerability, discovered by security researcher Rohit Dua and subsequently detailed on the Full Disclosure mailing list, was present in LinkedIn’s help center discussion forum where a lack of proper filtering meant that an attacker could entered characters into a question form to trick the website into executing a script.

Worse of all, the malicious input would be saved on the discussion forum as a question, meaning that other users seeking help could be impacted if their browser attempted to render pages containing the code.

xss-flaw-linkedin

“Once the question gets posted, it, along with the script execution, can be immediately viewed in Help Forum > Your Discussions or in the questions public list, or the questions page of your tag,” explained the researcher.

Dua created a YouTube video which demonstrates the flaw in action:

Obviously having a flaw like this on a popular website is far from ideal. In fact, I would consider this a lucky escape for LinkedIn as it’s clear that if the flaw had been discovered by a malicious party rather than a responsible researcher that it could have been exploited in a way that would have affected LinkedIn users seeking help and damaged the company’s brand.

However, impressively, LinkedIn’s security team responded within 15 minutes to Dua’s notification and was able to implement a fix for the vulnerability within three hours.

Here is the disclosure timeline shared by Rohit Dua:

Nov 16, 2015: Vulnerability acquired by Rohit Dua.
Nov 16, 2015 11:15 PM: Responsible disclosure to Linkedin Security Team.
Nov 16, 2015 11:28 PM: Initial vendor notification sent
Nov 17, 2015 02:12 AM: Vendor implemented a fix*
Nov 18, 2015: Disclosure

It seems to me that LinkedIn certainly should be applauded for such a fast turnaround.

Dua says that he received no financial reward for reporting the bug because LinkedIn runs a private bug bounty program. Instead, he received an appreciative email from LinkedIn’s security team and an invitation to join the private bug bounty program, meaning he might be in the run for receiving compensation for helping LinkedIn rid itself of vulnerabilities in future.

A LinkedIn spokesperson told ThreatPost that they were grateful for Dua’s efforts:

“This responsibly disclosed issue was in our help center portal, not on the main site, and no member data was at risk. The researcher was great to work with which helped us fix the issue in a very timely manner. There has been no exploitation or abuse of this issue on our help portal. We would like to thank the researcher for his great write-up and helping protect our members.”

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read
Russian courts attacked by CryWiper malware that poses as ransomware Russian courts attacked by CryWiper malware that poses as ransomware
Graham CLULEY

December 05, 2022

2 min read
Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts
Silviu STAHIE

December 02, 2022

1 min read