0x0Lab Blog Just another damn blog


How hard can it be to disclose an XSS

Some time ago, I discovered an XSS in LinkedIn, and thought what the heck, let's report it.
I reported the XSS using the customer service center (couldn't find a security contact anywhere) on 25/Dec/2009.
The automated answer I received was:

LinkedIn has received your question. A service professional will review and respond to your inquiry as quickly as possible. Thank you!

We wish you a safe and prosperous holiday season and new year. We appreciate your support!

On 5/Jan/2010 I received the following:

Thank you for taking time out of your busy day to provide this feedback.
It is members like you that help us reach our company goals by providing insight on features that align with the needs of our customers. Your feedback has been sent to our research and development team for future consideration.
Even though we’re not able to respond individually to numerous recommendations we receive, we’d like to invite you to subscribe to the LinkedIn Blog (http://blog.linkedin.com) to begin receiving the latest notifications on site improvements. It’s our way of keeping you and our other members informed on all the exciting work we’re doing behind the scenes.
If you have further questions, please feel free to reply to this message.

A few months later, I remembered the issue while looking through my emails, and thought let's quickly check if they fixed it. Yeap, it was still there. So I sent them another mail on 10/Mar/2010. A few days after the automated generic reply I received the following on 19/Mar/2010:

Thank you for contacting LinkedIn Customer Support.
Would you please provide more information regarding this so that I can check into it further for you? Please send me a screen shot of where you see this on your homepage by using the link below:
Answer Title: Creating a Screen Shot
Answer Link: http://linkedin.custhelp.com/cgi-bin/linkedin.cfg/php/enduser/std_adp.php?p_faqid=223
I would be happy to assist you with any additional questions you have regarding this matter.

Dear LinkedIn Customer Support thank you for guiding me on how to create a screen shot. I have send you the PoC URL in the initial email. My response:

What I am reporting here is a security issue for the LinkedIn website. More information about cross-site scripting can be found at: http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
I've also attached a screenshot, showing javascript execution from the URL.
The vulnerable URL is: http://www.linkedin.com/.....

On 24/Mar/2010 I received the following:

We appreciate the time and efforts you have taken to record this issue and apologize for the issue you are currently experiencing.
The issue you have reported appears to be an isolated incident affecting relatively few users at this time. However, I have relayed your information on to the appropriate parties to evaluate, as it will assist our product and engineering groups as they determine the next steps for this issue.
Thank you for your patience and support as we review this matter.

Oh LinkedIn thanks for understanding... I wonder if your response in a more serious issue (not that I don't consider XSS serious), would be...

Fast forward to September 2010, and the XSS is still there.

LinkedIn XSS

If anyone from LinkedIn or someone who knows anyone at LinkedIn reads this, do send me an email with some contact details :)

Update: @phyr3wall discovered another XSS on the mobile site. He was kind enough to send me the URL. Anyone at LinkedIn can contact me for the details on both XSS.

Update2: A LinkedIn employee contacted me a few days after the post. Both XSS issues have now been fixed.

Posted by cirrus

Filed under: Security Comments Off
Comments (2) Trackbacks (0)
  1. I have also discovered by accident a (session/business logic) security flaw on linkedin. One day, as soon as I arrived at my office, I logged in to Linkedin. Everything seemed quite weird and unfamiliar. I didn’t know any of the people in the Linkedin status updates. Then I saw at the top, that I had logged in as a different user from the Management department in the same company and building as me. I log out and log in again. The same. While logged in, I could see and edit my profile normally but all my inbox, news etc were not mine but the same user’s….

    I thought of reporting it and informing my manager but then I thought “I am the only guy here working on security…. guess whom they will turn their suspicions at…” so I just forgot it.

    Linkedin should definitely take security seriously.

  2. I personally recommending going to straight to management with security issues.

    As you can see, first line support does not have the technical knowledge to handle this; and they did not prioritize it properly, either.

    I would suggest contacting support again, stressing that the issue is a security vulnerability and you need contact information for a manager. They may not give you such info, but instead may ask for more info so they can help you… but don’t go that route. Instead, state again that you need to talk to someone with the authority and knowledge to handle the problem; also stress that it is a security vulnerability and that it is of some importance and/or urgency that you talk to someone about it. Basically, don’t deal with first line tech anymore; get a real manager to talk to … and keep going higher up till you get the person who can handle it.

    Note: when you get to a manger, you’ll have to sum the details in easy to understand terms for them (since they won’t understand the technical side), but also include the technical details on how the exploit works, how to fix it, etc… that give to and discuss with the people who do the website.

    Well, it might be worth a try, right? :)

No trackbacks yet.