Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

LinkedIn Patches Persistent XSS Flaw in Help Center

LinkedIn quickly addressed a persistent cross-site scripting (XSS) vulnerability found by a researcher earlier this week in the company’s official Help Center website.

LinkedIn quickly addressed a persistent cross-site scripting (XSS) vulnerability found by a researcher earlier this week in the company’s official Help Center website.

Security researcher Rohit Dua discovered that an attacker could have injected malicious code into the “more details” field of the LinkedIn Help Center’s “Start a Discussion” page. Once the attacker published the post containing the XSS payload, the malicious code would get executed every time someone accessed the post, either directly in LinkedIn’s Help Center or by clicking on a link sent by the attacker.

Dua pointed out in an advisory that LinkedIn had filters in place to prevent such attacks, but a loophole he identified allowed attackers to inject malicious code. The expert believes this persistent XSS vulnerability could have been exploited to perform actions on the targeted user’s behalf, and even for an XSS worm designed to spread on LinkedIn’s forums.

The expert reported his findings to LinkedIn on November 16 and the business-oriented social network patched it within three hours.

Dua has published a video demonstrating the existence of the vulnerability and how it could have been exploited by a malicious actor.

LinkedIn accepts vulnerability reports from anyone via its security(at)linkedin.com email address, but the company also runs a private bug bounty program on the HackerOne platform.

LinkedIn has opted for a private program because the company believes public programs have a poor signal-to-noise ratio due to many incorrect, incomplete or irrelevant reports.

The social network launched its bug bounty program in October 2014 after selecting a small group of researchers who regularly submitted useful information. In June, the company reported that it had paid out more than $65,000 for a total of 65 security holes reported by experts since the launch of the program.

“We did evaluate creating a public bug bounty program. However, based on our experience handling external bug reports and our observations of the public bug bounty ecosystem we believe the cost-to-value of these programs no longer fit the aspirational goals they originally had,” Cory Scott, LinkedIn’s director of information security, said in June. “This private bug bounty program gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn’s products while interacting with a small, qualified community of external researchers.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.