LinkedIn has invited a security researcher to join its private bug bounty programme after he identified a novel exploit involving the site’s cascading style sheets (CSS).
Ruben van Vreeland, CEO of BitSensor, discovered that he could use CSS to bypass LinkedIn’s security systems which filter attributes and event handlers that could be used to launch cross-site scripting attacks.
By referencing existing CSS already hosted onLinkedIn, he was able to create a proof of concept to publish a page and hijack the links to redirect users to an external site.
LinkedIn published an example to prove the case, based on a user creating a new blog entry.
A JSON request can be used to create a new HTML page with an image tag and a URL:
Used in this way, li_style makes the entire page clickable and will redirect to the URL of the attacker’s choice.
Writing on the LinkedIn security blog, information security engineer Jovon Itwaru wrote: “This technique can be used to send members to sites hosting malware or counterfeit sites that attempt to phish members by requesting their usernames and passwords. This is especially successful on social sites that share blogs or articles.”