Lucky escape. Worm could have exploited LinkedIn XSS vulnerability

Within three hours of being reported, a serious cross-site scripting (XSS) vulnerability on LinkedIn’s website has been fixed by its security team.

The vulnerability, discovered by security researcher Rohit Dua and subsequently detailed on the Full Disclosure mailing list, was present in LinkedIn’s help center discussion forum where a lack of proper filtering meant that an attacker could entered characters into a question form to trick the website into executing a script.

Worse of all, the malicious input would be saved on the discussion forum as a question, meaning that other users seeking help could be impacted if their browser attempted to render pages containing the code.

“Once the question gets posted, it, along with the script execution, can be immediately viewed in Help Forum > Your Discussions or in the questions public list, or the questions page of your tag,” explained the researcher.

Dua created a YouTube video which demonstrates the flaw in action:

Obviously having a flaw like this on a popular website is far from ideal. In fact, I would consider this a lucky escape for LinkedIn as it’s clear that if the flaw had been discovered by a malicious party rather than a responsible researcher that it could have been exploited in a way that would have affected LinkedIn users seeking help and damaged the company’s brand.

However, impressively, LinkedIn’s security team responded within 15 minutes to Dua’s notification and was able to implement a fix for the vulnerability within three hours.

Here is the disclosure timeline shared by Rohit Dua:

Nov 16, 2015: Vulnerability acquired by Rohit Dua.
Nov 16, 2015 11:15 PM: Responsible disclosure to Linkedin Security Team.
Nov 16, 2015 11:28 PM: Initial vendor notification sent
Nov 17, 2015 02:12 AM: Vendor implemented a fix*
Nov 18, 2015: Disclosure

It seems to me that LinkedIn certainly should be applauded for such a fast turnaround.

Dua says that he received no financial reward for reporting the bug because LinkedIn runs a private bug bounty program. Instead, he received an appreciative email from LinkedIn’s security team and an invitation to join the private bug bounty program, meaning he might be in the run for receiving compensation for helping LinkedIn rid itself of vulnerabilities in future.

A LinkedIn spokesperson told ThreatPost that they were grateful for Dua’s efforts:

“This responsibly disclosed issue was in our help center portal, not on the main site, and no member data was at risk. The researcher was great to work with which helped us fix the issue in a very timely manner. There has been no exploitation or abuse of this issue on our help portal. We would like to thank the researcher for his great write-up and helping protect our members.”