Photo 1: exploded thumbnail

Today I was using LinkedIn and noticed a message was posted about the upcoming Black Hat and DEFCON security conferences in Las Vegas.  At the bottom of the persons post there are a bunch of thumbnail images of contacts we both have in common.  If you have browsed a few articles on LinkedIn you probably have seen these thumbnails before.

Photo 1 is the result of hovering my mouse over one of the contacts at the bottom of the authors post.  These are the contacts we have in common.  Again, nothing new here, you have probably seen this before.  I noticed in the exploded view, the HTML entity tag for ampersand, circled in red, looked out of place.  At first, I was thinking perhaps this person entered the entity tag directly.  Some people online enter some strange stuff to get your attention, especially security people.

When I opened the persons profile, Photo 2, I noticed the ampersand was shown not the entity tag.  What can we do with this knowledge?  Well probably not much, at least just yet.  The point is there is a bug in LinkedIn application code that is screwing up escaping of entity references.  The code is getting confused between HTML code and characters the user types from the keyboard.

Photo 2: profile view

Why is the confusion between the characters we type and HTML code important?  It’s precisely in the area of escaping and character encoding where we find Cross-site Script Injection (XSS) vulnerabilities.  XSS is not anything new and it’s listed on the OWASP Top 10 (A1) but it’s listed as A1 on the OWASP Top 10 for good reason, it’s pervasive.

In this LinkedIn example, the ampersand is likely a programming bug and nothing more.  We can’t do much with an ampersand that’s changed to an entity reference.  However, if it were possible to include code within our tag lines it may not be properly escaped or improperly rendered.  Of course, the code would have to be short since there are limitations to the number of characters that can be stored in a tag line.  If a vulnerability could be found here, the benefit to an attacker is that they can hijack LinkedIn user browsers who view the exploded thumbnails, Photo 1.  On a site like LinkedIn this is probably a lot of users.

In closing, I am not showing you LinkedIn vulnerabilities.  I have no idea if there is a vulnerability in this code.  In fact, I don’t want to know.  I have conducted no testing against these interfaces or used any tools.  All I have proven is that there’s a program bug and we can write blog posts about bugs safely online.  Security begins by noticing what’s around you.

See you at DEFCON next week!