Friday, June 20, 2014

LinkedIn Stored XSS Vulnerability

TL;DR: I found a stored XSS on LinkedIn, that's all folks, nothing special.


I was invited to publish on LinkedIn.

I wondered how good is LinkedIn at multi-byte UTF-8 support (fixed some bugs recently in Liferay related to escaping and surrogate pairs) and noticed a strange thing.

When processing URLs, LinkedIn exchanges escaped characters with their unescaped form = removes the escaping.

" → "

Then it was easy to create some vectors to try the stored XSS:


June 17, 2014 10:43 PM CEST – Reported to Linkedin Security Team
June 17, 2014 11:09 PM CEST – ACKed they received it
June 18, 2014 01:04 AM CEST – Reproduced
June 19, 2014 04:12 AM CEST – Got email that it's fixed


After this I was a bit scared so I quickly looked also at other LinkedIn features that I use. And found another vulnerability in the feature I trust and would be a good victim for :/

But, for now, please stay tuned until they fix it. You know, I'm the white-hat = harmless ;)