A persistent script code injection web vulnerability was detected in the group’s name add function of the LinkedIn social network application. This vulnerability was identified by Senior Security Developer of NCIT, Ismail Kaleem.
LinkedIn Security Ticket ID: 130429-005211
2013-04-28: Researcher Notification & Coordination
2013-04-29: Vendor Notification
2013-04-30: Vendor Response/Feedback
2013-05-23: Vendor Fix/Patch
2013-06-08: Public Disclosure
The web-server does not use HTTP only cookies so it is possible for an attacker to hijack cookies or inject frames with malicious context or malware.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications.
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.
The Vulnerability affects the Group messages in LinkedIn.
An attacker can inject malicious code into the messages in groups and completely take-over the account of an unsuspecting victim.
Example of a Persistent attack
Mr Xyz posts a message with malicious payload to a linked social network (group).
When Mr Abc goes to the group, Xyz's XSS(payload) steals Abc's cookie.
Mr Xyz can now hijack Abc's session and impersonate Abc.
The malicious code is stored on the Server and gets executed during content processing stage (client-side). It is also possible for an attacker to inject malicious code to compromise the victim by using browser based exploit packs.
Particularly in the case of social networking sites, the code would be further designed to self-propagate across accounts, creating a type of a client-side worm.