LinkedIn Cross-Site-Scripting (XSS) & Content Spoofing Vulnerability

Couple of days back, I reported XSS and Content Spoofing on LinkedIn. Here are the details of the issues.

Cross Site Scripting:

What is Cross Site Scripting?

XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user’s credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

LinkedIn XSS

Vulnerable Parameter: profile_image_url


Content Spoofing

What is Content Spoofing?

Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.

content spoofing on linkedin

Vulnerable Parameters: profile_image_url,name,first_name,headline

Content Spoofing Bug in LinkedIn
Content Spoofing – LinkedIn

Both the issues were fixed in a matter of time.  Thank You, Linked Security Team 🙂

Sunil Yadav

Sunil Yadav is a Team Lead Security Assessment at Network Intelligence India. He has performed Security Audits, Penetration Test, Source Code Review, Threat Modeling, Social engineering, Reverse Engineering and Ethical Hacking Trainings etc. for some of NII’s premier customers. He has consistently impressed clients with his ability to think out of the box, and creatively attack systems and applications. He is well-versed with the OWASP, WASC and SDL like methodologies.
Share This

1 Comment

Leave a Reply

Your email address will not be published.