Style sheet vulnerability allowed attacker to hijack LinkedIn pages

LinkedIn has invited a security researcher to join its private bug bounty programme after he identified a novel exploit involving the site's cascading style sheets (CSS).

Ruben van Vreeland, CEO of BitSensor, discovered that he could use CSS to bypass LinkedIn's security systems which filter attributes and event handlers that could be used to launch cross-site scripting attacks.

By referencing existing CSS already hosted on LinkedIn, he was able to create a proof of concept to publish a page and hijack the links to redirect users to an external site.

LinkedIn published an example to prove the case, based on a user creating a new blog entry.

A JSON request can be used to create a new HTML page with an image tag and a URL:

{"content": "<p><a href=\"http://www.linkedin.com\">LinkedIn</a><img src=\"linkedin.png\"/></p>"}

There are a number of style classes that could be added to this, including .li_style.

<style>
.li_style {
   position: absolute;
   width: 100%;
   z-index: 10021;
   position: fixed;
           top: 0;
           left: 0;
           width: 100%;
           height: 100%;
           padding: 0;
           overflow-y: scroll;
           _overflow-y: hidden
}
</style>

This style is commonly used to force an element to stretch the entire width and height of a page, and it can be included in the JSON request:

{"content": "<p><a class=\"li_style\" href=\"http://www.example.com\">Example Site</a><img src=\"image.png\"/></p>"}

Used in this way, li_style makes the entire page clickable and will redirect to the URL of the attacker's choice.

Writing on the LinkedIn security blog, information security engineer Jovon Itwaru wrote: “This technique can be used to send members to sites hosting malware or counterfeit sites that attempt to phish members by requesting their usernames and passwords. This is especially successful on social sites that share blogs or articles.”