The Initial Post
I recently published a blog post which showed a practical attack against Linkedin’s Intro. The post reached the front page of Hacker News (a full writeup of my experience with the “Hacker News Effect” will be posted soon for those interested), which caused the post to gain quite a bit of publicity and traction. Soon after, I was contacted by Linkedin’s security team. This was their response.
Linkedin’s Response
I was initially contacted via email by David Cintz, a member of Linkedin’s security team, wanting to talk with me about the post. While talking with him on the phone, he made it immediately clear that he didn’t call to ask me to take down the post - “Linkedin isn’t that kind of company”. Instead, he simply wanted to see if I would be willing to provide him with any additional information about the vulnerability so that they could provide the most effective fix as soon as possible.
We stayed in contact via phone and email throughout the day, and a hotfix (see the update at the top of the original post) was released in the early evening. I was asked to verify the fix to make sure that it adequately addressed the vulnerability I found. After verifying the fix, the member of the security team told me that he wanted to thank me for my help. He told me that, while they normally don’t reward vulnerabilities disclosed without previously notifying them, he appreciated my help and wanted to send me a small token of thanks.
I’ve Got Mail!
I received the following package today:
Here are the contents:
- T-Shirt
- Front: “in”FORMANT
- Back: <script>alert(document.cookie);</script>
- Side: security@in
- Hand-written letter from David
- 2 Linkedin stickers
- Linkedin-branded “2 in 1” Tumbler
Conclusion
While I still believe that the security risks of using Intro will always outweigh the benefits of using it, I do think Linkedin’s security team handled the situation very well. They approached the problem quickly and professionally, while going above and beyond to show appreciation for my help. I’m a fan of giving credit where it’s due and, in this case, Linkedin’s security team certainly earned it.
Thanks, Linkedin.
Full Timeline
- October 27, 2013 - Blog Post Published
- October 28, 2013 9:53 AM PDT - Contacted by Linkedin Security Team
- October 28, 2013 approx. 2:40 PM PDT - Hotfix released
-Jordan (@jw_sec)