durning few tests in few different bugbounty programs,
at 19.09 this year I found another persistent XSS in our nice job portal
www.linkedin.com
Durning mails with IT support I think it is patched now, but
if you wanna try - here you have a short list of steps to reproduce:
1. Log-in to your account
2. Go to contact lists, to 'imported contacts'
3. Edit one contact
4. In a new windows, in edited person, surename is vulnerable
to persistent XSS.
Below screen from sample 'attack':
* Update @ 01.10.2013 *
'Seems to patchet at production.' ;)
* Update @ 04.10.2013 *
LinkedIn Team once again surprised me about their answer. :)
This is realy good Team!
Good job guys!
Enjoy and remember, do only legal things ;)
Cheers
o/
No comments:
Post a Comment
What do You think...?