Slashdot Mirror

← Back to Stories (view on slashdot.org)

LinkedIn's Own CSS Abused For Clickjacking Attacks

Posted by Soulskill on from the hyperlinked-in dept.

An anonymous reader writes: LinkedIn has fixed a security bug that allowed attackers to use its own CSS code for clickjacking attacks. Basically attackers can create blog posts and load CSS classes from LinkedIn's own stylesheets. If a reader lands on that blog post, then a malicious link can be shown for the entire area of the page. Not something "unique" since this type of method is quite well-known, but you don't generally expect to find these kind of attacks on LinkedIn's own platform. (Here's a link to the LinkedIn security blog. Sorry for not linking to the particular blog — LinkedIn has a weird URL policy. It's the first one.)

12 comments

  1. Don't post stories about LinkedIn by Anonymous Coward · · Score: 0

    Simple solution to their "URL policy". Don't post stories about them and certainly don't link to them. Apparently LinkedIn doesn't like links.

  2. Lol, "security"? Never heard of her? by JustAnotherOldGuy · · Score: 3

    "...a link to the LinkedIn security blog"

    Oh The Irony, it's sooooooooo delicious.

    Forgive me if I decline to click on a link that's on the very site that the security vulnerability story is about. I was born at night, but not last night.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  3. Re:Damn Preverts by Anonymous Coward · · Score: 0

    I love it EVEN MORE when a GREAT BIG COCK is JAMMED all the way UP MY ASS until it BLEEDS!

    The cock or your ass?

  4. So? by guruevi · · Score: 1

    This is more of a browser issue that allows content to be loaded from domains not in the original request. A lot of malware can be prevented that way. If you really need to use 3rd party content, let your domain http server proxy the request (and cache it), that way you also prevent content being loaded you didn't intend to load. It also will reduce load times on your pages as there is no overhead on a million dns requests and different servers being involved.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:So? by holostarr · · Score: 1

      You didn't read the article did you? There was no 3rd party content, the attack used Linkedin's OWN CSS!

  5. I'm a little confused by MisterSquid · · Score: 2

    I'm a little sheepish about having to ask a question to understand the nature of this bug. Hopefully someone is willing to provide an explanation.

    So, I understand the content/markup could be loaded via JSON (I'm presuming an AJAX call) and that the vulnerability was a CSS class that allowed a link inside the JSON to be styled to cover the entire page, thus maximizing the likelihood of an unsuspecting user clicking on the target link (malicious or not).

    My question is "Did this technique merely maximize the likelihood of clicking on a link already on the page?" From what I can understand the possibly malicious link has to already reside in the JSON, the CSS vulnerability simply took that link and expanded it to cover the entire page.

    Am I missing something here? Thanks, in advance, for any clarification.

    --
    blog
    1. Re:I'm a little confused by holostarr · · Score: 1

      Yes, that's what click jacking is. In this case, the attacker increases the chance you click his link to 100%.

    2. Re:I'm a little confused by MisterSquid · · Score: 1

      Got it. Thanks for the reply.

      --
      blog
  6. Who cares about LinkedIn's "policy"? by Thing+1 · · Score: 1

    This is the WWW, where links are what make the damned thing work! Thanks LinkedIn for trying to crawl back into a cave.

    --
    I feel fantastic, and I'm still alive.
  7. LinkedIn is itself an attack... by Anonymous Coward · · Score: 0

    It used to be an imperfect but useable networking site. Now it may be worse than FaceBook.