LinkedIn Fixes Persistent XSS Vulnerability

LinkedIn fixed a persistent cross site scripting vulnerability in its site this week that could have spread a worm on the service’s help forums.

Developers at LinkedIn fixed a persistent cross site scripting vulnerability in the social network this week that could have been exploited to spread a worm on the service’s help forums.

It was a very a quick turnaround for the company according to the researcher, who said LinkedIn fixed the issue a mere three hours after he reported it.

According to Rohit Dua, a security researcher based in India, the issue existed in a portal on LinkedIn’s Help Center site. To exploit the issue, a user would’ve had to sign into LinkedIn, gone to the site’s Help forum and started a discussion. By entering in a few lines of code, Dua claims an attacker could’ve executed script.

linkedin-xss-injected-code

“Once the question gets posted, it, along with the script execution, can be immediately viewed in Help Forum –> Your Discussions or in the questions public list, or the questions page of your tag,” Dua wrote in his proof of concept, published Wednesday.

If an attacker found a way to exploit the vulnerability, it could have easily been leveraged for an XSS worm Dua claims.

Dua alerted the company of the bug shortly after 11 p.m. on Monday, and according to his disclosure timeline, LinkedIn implemented a fix shortly after 2 a.m. on Tuesday.

When reached Wednesday a LinkedIn spokesperson corroborated the vulnerability and corresponding fix and assured users that no member data was ever at risk of being compromised.

“This responsibly disclosed issue was in our help center portal, not on the main site, and no member data was at risk. The researcher was great to work with which helped us fix the issue in a very timely manner. There has been no exploitation or abuse of this issue on our help portal. We would like to thank the researcher for his great write-up and helping protect our members,” LinkedIn said.

LinkedIn announced this past summer that it started its own private bug bounty program back in October 2014. While the initiative is still private, LinkedIn has invited Dua to join the program.

Suggested articles