LinkedIn Issues Security Patches to Plug Loopholes
Investigators from a Spanish security company named Internet Security Auditors have discovered a number of software flaws within LinkedIn the business social-networking website that if exploited are chanced with causing malware contaminations, phishing assaults, or theft of identifying details of the site's members. But as LinkedIn has developed security patches for the said vulnerabilities, the investigators thought they would publicize their findings.
Accordingly, in the words of Eduardo Garcia Melia, researcher at the security company, he detected several XSS (cross-site scripting) flaws afflicting the page of LinkedIn investors with which an attacker could conveniently insert malevolent script or HTML into the particular web-page. Threatpost.com published this during the end-week of March 2013.
Melia stated that any ill-intended person could utilize the vulnerability for dispatching phishing electronic mails to visitors on LinkedIn, taking advantage of their faith in the site and thereby tricking them. Moreover, he (attacker) could insert script or HTML code as well as execute phishing assaults with respect to the victims' browsers in order that it would enable him do XSS assaults or capture cookies belonging to the machine of the attacked end-user, he explained.
Specifically, the attack would divert an end-user onto an attacker-manipulated web-page, a copycat (or fake) LinkedIn page on which the person might get prompted for re-entering his identifying details, else taken onto a website harboring more malware.
Earlier during January this year (2013), Vincente Aguilera Diaz, colleague of Melia informed about several CSRF (cross-site request forgery) flaws that affected LinkedIn's "Add Connections" utility, particularly its "Send Invitation" feature.
Diaz elaborated that anybody exploiting the flaws would craft one web-page and insert malevolent code into it capable of abusing the CSRF flaws to embed one web-link leading onto the page made to associate with LinkedIn member groups comprising massive number of end-users. When these end-users clicked the web-link they'd get substantiated on the website. The ensuing successful exploitation of the flaw would lead to the end-users getting listed on the attacker's address book. This way, Diaz explained, the attacker could acquire admission into LinkedIn members' personal info; thus published softpedia.com during the end-week of March 2013.
Related article: LinkedIn Site Abused With 419 Scam
» SPAMfighter News - 11-04-2013