According to the Full Disclosure website, after injecting HTML or script code into a browser session to steal user cookies, a phishing mail could be used send members to a LinkedIn clone site that would host malware or simply steal information through keylogging.
In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. It is employed by attackers for a range of reasons, from simply interfering with websites to launching phishing attacks against web users; the scripts can even rewrite the content of the HTML page.
In LinkedIn’s case, the first XSS allowed nefarious types to go to LinkedIn Home, click on “shared an update” and attach a link, editing it and adding the XSS injection to the title and description fields. A second and third XSS let hackers go to LinkedIn Groups to select “groups you may like,” and, once finding an open group, start a discussion. After that, a post can be edited with malicious code and injections. And, the fourth and final XSS used the “Create a Group,” function, which criminals would use to create a new group and subsequently a poll. The poll would contain the Web injection.
XSS is a widely spread issue: In its latest X-Force 2013 Mid-Year Trend and Risk Report, IBM identified XSS as the top Web application vulnerability so far this year. It also accounted for 69% of blocked attacks in FireHost’s Q4 2012 web application attack statistics reporting, up 160% quarter over quarter. And no wonder: XSS attacks are easy to initiate.
“Any teenager with a web application scanner can initiate these attacks in their free time,” said security consultant Kevin Mitnick, in an email to Infosecurity. “This increase does show, however, that when your servers are plugged in they are going to be probed – likely within several minutes or so.”
Wordpress, Skype, Twitter, Facebook and others have all been targeted with XSS attacks in the past; social networking and content management sites are natural draws for the gambit, given the easy ability to disseminate spam and phishing mails once the site is compromised.
The flaws on LinkedIn were first uncovered by Eduardo Garcia Melia of ISec Partners in December 2012, and then LinkedIn fixed the issues over the course of the summer. Melia submitted the outcome to security lists this week.