Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

LinkedIn Patches Persistent XSS Flaw in Help Center

LinkedIn quickly addressed a persistent cross-site scripting (XSS) vulnerability found by a researcher earlier this week in the company’s official Help Center website.

LinkedIn quickly addressed a persistent cross-site scripting (XSS) vulnerability found by a researcher earlier this week in the company’s official Help Center website.

Security researcher Rohit Dua discovered that an attacker could have injected malicious code into the “more details” field of the LinkedIn Help Center’s “Start a Discussion” page. Once the attacker published the post containing the XSS payload, the malicious code would get executed every time someone accessed the post, either directly in LinkedIn’s Help Center or by clicking on a link sent by the attacker.

Dua pointed out in an advisory that LinkedIn had filters in place to prevent such attacks, but a loophole he identified allowed attackers to inject malicious code. The expert believes this persistent XSS vulnerability could have been exploited to perform actions on the targeted user’s behalf, and even for an XSS worm designed to spread on LinkedIn’s forums.

The expert reported his findings to LinkedIn on November 16 and the business-oriented social network patched it within three hours.

Dua has published a video demonstrating the existence of the vulnerability and how it could have been exploited by a malicious actor.

LinkedIn accepts vulnerability reports from anyone via its security(at)linkedin.com email address, but the company also runs a private bug bounty program on the HackerOne platform.

Advertisement. Scroll to continue reading.

LinkedIn has opted for a private program because the company believes public programs have a poor signal-to-noise ratio due to many incorrect, incomplete or irrelevant reports.

The social network launched its bug bounty program in October 2014 after selecting a small group of researchers who regularly submitted useful information. In June, the company reported that it had paid out more than $65,000 for a total of 65 security holes reported by experts since the launch of the program.

“We did evaluate creating a public bug bounty program. However, based on our experience handling external bug reports and our observations of the public bug bounty ecosystem we believe the cost-to-value of these programs no longer fit the aspirational goals they originally had,” Cory Scott, LinkedIn’s director of information security, said in June. “This private bug bounty program gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn’s products while interacting with a small, qualified community of external researchers.”

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

N-able has appointed Russell Rosa as Chief Revenue Officer.

Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.

F5 has appointed Cathy Peterman as Chief People Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.