Some time ago, I discovered an XSS in LinkedIn, and thought what the heck, let's report it.
I reported the XSS using the customer service center (couldn't find a security contact anywhere) on 25/Dec/2009.
The automated answer I received was:
LinkedIn has received your question. A service professional will review and respond to your inquiry as quickly as possible. Thank you!
We wish you a safe and prosperous holiday season and new year. We appreciate your support!
On 5/Jan/2010 I received the following:
Thank you for taking time out of your busy day to provide this feedback.
It is members like you that help us reach our company goals by providing insight on features that align with the needs of our customers. Your feedback has been sent to our research and development team for future consideration.
Even though we’re not able to respond individually to numerous recommendations we receive, we’d like to invite you to subscribe to the LinkedIn Blog (http://blog.linkedin.com) to begin receiving the latest notifications on site improvements. It’s our way of keeping you and our other members informed on all the exciting work we’re doing behind the scenes.
If you have further questions, please feel free to reply to this message.
A few months later, I remembered the issue while looking through my emails, and thought let's quickly check if they fixed it. Yeap, it was still there. So I sent them another mail on 10/Mar/2010. A few days after the automated generic reply I received the following on 19/Mar/2010:
Thank you for contacting LinkedIn Customer Support.
Would you please provide more information regarding this so that I can check into it further for you? Please send me a screen shot of where you see this on your homepage by using the link below:
Answer Title: Creating a Screen Shot
Answer Link: http://linkedin.custhelp.com/cgi-bin/linkedin.cfg/php/enduser/std_adp.php?p_faqid=223
I would be happy to assist you with any additional questions you have regarding this matter.
Dear LinkedIn Customer Support thank you for guiding me on how to create a screen shot. I have send you the PoC URL in the initial email. My response:
What I am reporting here is a security issue for the LinkedIn website. More information about cross-site scripting can be found at: http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
The vulnerable URL is: http://www.linkedin.com/.....
On 24/Mar/2010 I received the following:
We appreciate the time and efforts you have taken to record this issue and apologize for the issue you are currently experiencing.
The issue you have reported appears to be an isolated incident affecting relatively few users at this time. However, I have relayed your information on to the appropriate parties to evaluate, as it will assist our product and engineering groups as they determine the next steps for this issue.
Thank you for your patience and support as we review this matter.
Oh LinkedIn thanks for understanding... I wonder if your response in a more serious issue (not that I don't consider XSS serious), would be...
Fast forward to September 2010, and the XSS is still there.
If anyone from LinkedIn or someone who knows anyone at LinkedIn reads this, do send me an email with some contact details
Update: @phyr3wall discovered another XSS on the mobile site. He was kind enough to send me the URL. Anyone at LinkedIn can contact me for the details on both XSS.
Update2: A LinkedIn employee contacted me a few days after the post. Both XSS issues have now been fixed.