Style sheet vulnerability allowed attacker to hijack LinkedIn pages

Posted on

LinkedIn has invited a security researcher to join its private bug bounty programme after he identified a novel exploit involving the site’s cascading style sheets (CSS).

Style sheet vulnerability allowed attacker to hijack LinkedIn pages

Ruben van Vreeland, CEO of BitSensor, discovered that he could use CSS to bypass LinkedIn’s security systems which filter attributes and event handlers that could be used to launch cross-site scripting attacks.

By referencing existing CSS already hosted onLinkedIn, he was able to create a proof of concept to publish a page and hijack the links to redirect users to an external site.

LinkedIn published an example to prove the case, based on a user creating a new blog entry.

A JSON request can be used to create a new HTML page with an image tag and a URL:

{“content”: “<p><a href=\”\”>LinkedIn</a><img src=\”linkedin.png\”/></p>”}

There are a number of style classes that could be added to this, including .li_style.

.li_style {
position: absolute;
width: 100%;
z-index: 10021;
position: fixed;
top: 0;
left: 0;
width: 100%;
height: 100%;
padding: 0;
overflow-y: scroll;
_overflow-y: hidden

This style is commonly used to force an element to stretch the entire width and height of a page, and it can be included in the JSON request:

{“content”: “<p><a class=\”li_style\” href=\”\”>Example Site</a><img src=\”image.png\”/></p>”}

Used in this way, li_style makes the entire page clickable and will redirect to the URL of the attacker’s choice.

Writing on the LinkedIn security blog, information security engineer Jovon Itwaru wrote: “This technique can be used to send members to sites hosting malware or counterfeit sites that attempt to phish members by requesting their usernames and passwords. This is especially successful on social sites that share blogs or articles.”



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s