The professional social networking service LinkedIn was susceptible to four reflected cross site scripting (XSS) vulnerabilities, before issuing a fix for those flaws over the summer.
XSS vulnerabilities are among the most prevalent bugs online. In this case an attacker could potentially exploit LinkedIn users by injecting HTML or script code into a their browser in order to steal the user’s cookies, according to a posting on the Full Disclosure mailing list.
After successfully exploiting the issue, an attacker could then send phishing emails drawing unsuspecting users to a clone site to infect victim’s machine with malware, or steal that user’s login credentials.
The first vulnerability is exploitable by writing maliciously crafted HTML into the “Share an update…” field on the LinkedIn home page. The second and third XSS bug can be similarly executed by visiting the “Groups you may be interested in” section of the “Groups” page. Once there, an attacker would need to find an open group and begin a discussion by inserting more specially crafted code into the field on that page before sharing the discussion. The final vulnerability exists on the “group” page as well. However, this one is exploitable by creating a group, then creating a poll within that group and inserting malicious code into the poll creation field.
Eduardo Garcia Melia of ISecAuditors uncovered the flaws in December 2012. According to Full Disclosure, LinkedIn fixed the problems sometime in July 2013, and Melia submitted the vulnerability report to Full Disclosure yesterday.
Threatpost reached out to LinkedIn to confirm that the company’s security team had indeed resolved the vulnerabilities but they were not readily available for comment at the time of publication.
LinkedIn touts itself as the world’s largest professional network, boasting more than 238 million users globally.
The professional network made a splash earlier this month with an appeal to the Foreign Intelligence Surveillance Court, the secretive court responsible for regulating much of the National Security Agency’s spying efforts, asking that it be permitted to publish data on the number of National Security Letters it receives.