LinkedIn patches serious persistent XSS vulnerability

The persistent XSS flaw allowed hackers to spread XSS worms through the LinkedIn help forums.

Rohit Dua

A persistent cross-site scripting (XSS) vulnerability impacting recruitment network LinkedIn has been fixed within hours of being reported.

India-based security researcher Rohit Dua discovered the website's vulnerability and disclosed the flaw Wednesday on Full Disclosure.

The persistent XSS security flaw, dubbed a "more devastating variant" of a cross-site scripting flaw as malicious data provided by an attacker is saved by the server and permanently displayed on Web pages accessed by normal users of the website, impacted LinkedIn's help forums.

The vulnerability lay within LinkedIn's help portal. To exploit the flaw, a user had to sign in, go to the LinkedIn Help Center and then start a discussion. In the "give more details" tab which opens up when asking a question, an attacker could submit lines of code which resulted in the potential execution of code when the question was automatically posted to the forum.

If this vulnerability was exploited, XSS worms could easily be spread through the help forums and malicious code could be executed.

Happily for users, LinkedIn rapidly worked to fix the bug after Dua told the company of its findings, and the flaw was patched in less than three hours. Dua notified LinkedIn at 11 p.m. of the vulnerability and within 15 minutes received a response. By 2 a.m., the XSS flaw was patched.

A LinkedIn spokesperson said no user data was ever at risk, thanking the researcher for his work in keeping users safe.

Read on: Top picks