UPDATE: LinkedIn responded with some clarifications of the toolbar issue, which has since been fixed:- It applied only to people who had installed the LinkedIn Internet Explorer Toolbar product - not to users of the Linkedin.com website.
- For it to have been a risk, a user would have to be lured into navigating to a malicious webpage.
- There were no reports of malicious exploits. The whole process relies on an evil site serving up code that makes the linked in tool bar allow access to the computer in the context of the user. The question is what went wrong here. Moreover, why did the researchers dump the exploit on the internet without doing the whole responsible disclosure process.
DeMott said he decided to go public with the exploit after an official with Mountain View, Calif.-based LinkedIn, which has more than 12 million members, hung up on him. That is when he knew the vulnerability would end "0-day style," he said.
DeMott, who runs Rockford, Mich.-based VDA Labs with his partner Justin Seitz, said he called LinkedIn to either sell the bug or offer his company's consulting services, like he does for any vendor impacted by a vulnerability discovered by DeMott or Seitz. Source:
Linked in was under no obligation to even listen to these folks if this is the tactic that they took. Most companies will hang up on those kinds of calls.
On the other side of that LinkedIn should have a security group that deals with just this very thing, people cold calling and offering sales/service on some supposed bug in their code. If you make a product, odds are most likely that there is going to be a flaw in the code somewhere. Linked in should have responded with the standard "show me the hack, show me the code" and then worked their way through the process, as Microsoft and others do.
Both companies took a bad approach which lead to irresponsible disclosure. The reality is that many web 2.0 companies are not geared to deal with groups or companies like DeMott, nor do they have a robust security review of their API's, Toolbars, or other code sets.
Startups are known for pushing product, not for validating the security of that product. While it would be great if Startups would leverage the resources of other companies to do this kind of security review, they are too small to get the attention of the bigger companies. That leaves them vulnerable to the methods that DeMott and his company pulled. A method that might leave Web 2.0 companies cold, and leaving a researcher/hacker with a valid exploit thinking that they have nowhere to go but onto the internet with a potentially damaging zero day.
Suggest a Correction
Found an error or have a suggestion? Let us know and we'll review it.
LinkedIn Active-x Control Zero Day
0 views
Researchers have released a zero day vulnerability in the LinkedIn active-x control that basically allows evil folks to own your computer.
Comments (0)
Please sign in to leave a comment.
No comments yet. Be the first to comment!