LinkedIn quickly addressed a persistent cross-site scripting (XSS) vulnerability found by a researcher earlier this week in the company’s official Help Center website.
Security researcher Rohit Dua discovered that an attacker could have injected malicious code into the “more details” field of the LinkedIn Help Center’s “Start a Discussion” page. Once the attacker published the post containing the XSS payload, the malicious code would get executed every time someone accessed the post, either directly in LinkedIn’s Help Center or by clicking on a link sent by the attacker.
Dua pointed out in an advisory that LinkedIn had filters in place to prevent such attacks, but a loophole he identified allowed attackers to inject malicious code. The expert believes this persistent XSS vulnerability could have been exploited to perform actions on the targeted user’s behalf, and even for an XSS worm designed to spread on LinkedIn’s forums.
The expert reported his findings to LinkedIn on November 16 and the business-oriented social network patched it within three hours.
Dua has published a video demonstrating the existence of the vulnerability and how it could have been exploited by a malicious actor.
LinkedIn accepts vulnerability reports from anyone via its security(at)linkedin.com email address, but the company also runs a private bug bounty program on the HackerOne platform.
LinkedIn has opted for a private program because the company believes public programs have a poor signal-to-noise ratio due to many incorrect, incomplete or irrelevant reports.
The social network launched its bug bounty program in October 2014 after selecting a small group of researchers who regularly submitted useful information. In June, the company reported that it had paid out more than $65,000 for a total of 65 security holes reported by experts since the launch of the program.
“We did evaluate creating a public bug bounty program. However, based on our experience handling external bug reports and our observations of the public bug bounty ecosystem we believe the cost-to-value of these programs no longer fit the aspirational goals they originally had,” Cory Scott, LinkedIn’s director of information security, said in June. “This private bug bounty program gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn’s products while interacting with a small, qualified community of external researchers.”
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
