A successful CSRF exploit can compromise end user data and operation in case of normal user.
If the targeted end user is the administrator account, this can compromise the entire web application.
A malicious user can access to the information they share users that have been added to her contacts without his consent / knowledge. January 16, 2013: Initial release March 30, 2013: New update January 16, 2013: Vulnerability acquired by Internet Security Auditors. Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing.
Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc.
We are vendor independent provider with a deep expertise since 2001.
Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion.
Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user.
Linked In is vulnerable to XSS attacks during a DWR (Direct Web Remoting, a Java open source library) call through the "c0-id" parameter.
The code injection is done through the parameter warning in the page
Malicious Request: An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated.
The end user’s browser has no way to know that the script should not be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.
Original release date: January 30th, 2013Last revised: March 25th, 2013Discovered by: Vicente Aguilera Diaz Severity: 4.3/10 (CVSSv2 Base Score) Linked In is a social networking service and website ( for professionals. As of September 30, 2012 (the end of the third quarter), professionals are signing up to join Linked In at a rate of approximately two new members per second.