LinkedIn with Two-factor authentication and Cross Site Scripting Flaw

2013-06-04T07:29:00
ID THN:7EB51B9E7CE643C1A72C19637F220635
Type thn
Reporter Mohit Kumar
Modified 2013-06-04T18:31:56

Description

Two Factor Authentication is becoming a standard in the enterprise security space in an attempt to dually secure end users against malicious attacks.

Following Dropbox, Google and virtually everyone else, LinkedIn added two-factor authentication to its login process today.

LinkedIn will provide temporary codes for two-factor authentication through SMS messages. The extra step is designed to lessen the chances of computer hackers breaking into user accounts.

To turn on two-step verification on LinkedIn, hit the icon in the top-right corner of the site, click on “Privacy & Settings,” and then on “Manage security settings” at the bottom.

The site has provided instructions to its 225 million users on how to turn on the optional service.

On other side, today @The_Pr0ph3t, whitehat Hacker from Spain reported a Cross Site Scripting Vulnerability in LinkedIn Developer site (developer.linkedin.com).

Flaw still exists on website at the time of writing, and hacker also reported the flaw to LinkedIn developer team for patch.

Proof of Concept:
http://developer.linkedin.com/search/node/%22%3E%3Csvg/onload%3Dalert%281%29%3B%3E%22%3E%3Csvg/onload%3Dalert%281%29%3B%3E