LinkedIn quickly addressed a persistent cross-site scripting (XSS) vulnerability found by a researcher earlier this week in the company’s official Help Center website.
Security researcher Rohit Dua discovered that an attacker could have injected malicious code into the “more details” field of the LinkedIn Help Center’s “Start a Discussion” page. Once the attacker published the post containing the XSS payload, the malicious code would get executed every time someone accessed the post, either directly in LinkedIn’s Help Center or by clicking on a link sent by the attacker.
Dua pointed out in an advisory that LinkedIn had filters in place to prevent such attacks, but a loophole he identified allowed attackers to inject malicious code. The expert believes this persistent XSS vulnerability could have been exploited to perform actions on the targeted user’s behalf, and even for an XSS worm designed to spread on LinkedIn’s forums.
The expert reported his findings to LinkedIn on November 16 and the business-oriented social network patched it within three hours.
Dua has published a video demonstrating the existence of the vulnerability and how it could have been exploited by a malicious actor.
LinkedIn accepts vulnerability reports from anyone via its security(at)linkedin.com email address, but the company also runs a private bug bounty program on the HackerOne platform.
LinkedIn has opted for a private program because the company believes public programs have a poor signal-to-noise ratio due to many incorrect, incomplete or irrelevant reports.
The social network launched its bug bounty program in October 2014 after selecting a small group of researchers who regularly submitted useful information. In June, the company reported that it had paid out more than $65,000 for a total of 65 security holes reported by experts since the launch of the program.
“We did evaluate creating a public bug bounty program. However, based on our experience handling external bug reports and our observations of the public bug bounty ecosystem we believe the cost-to-value of these programs no longer fit the aspirational goals they originally had,” Cory Scott, LinkedIn’s director of information security, said in June. “This private bug bounty program gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn’s products while interacting with a small, qualified community of external researchers.”
