Researchers have released a zero day vulnerability in the LinkedIn active-x control that basically allows evil folks to own your computer.
UPDATE: LinkedIn responded with some clarifications of the toolbar issue, which has since been fixed:
– It applied only to people who had installed the LinkedIn Internet Explorer Toolbar product – not to users of the Linkedin.com website.
– For it to have been a risk, a user would have to be lured into navigating to a malicious webpage.
– There were no reports of malicious exploits.
The whole process relies on an evil site serving up code that makes the linked in tool bar allow access to the computer in the context of the user. The question is what went wrong here. Moreover, why did the researchers dump the exploit on the internet without doing the whole responsible disclosure process.
DeMott said he decided to go public with the exploit after an official with Mountain View, Calif.-based LinkedIn, which has more than 12 million members, hung up on him. That is when he knew the vulnerability would end “0-day style,” he said.
DeMott, who runs Rockford, Mich.-based VDA Labs with his partner Justin Seitz, said he called LinkedIn to either sell the bug or offer his company’s consulting services, like he does for any vendor impacted by a vulnerability discovered by DeMott or Seitz. Source: SC Magazine
The SC Magazine article makes it sound like Demott’s company wanted to sell something to LinkedIn. This is generally a poor approach overall because linked in probably thought it was a sales guy trying to worm their way into the company based on information that may or may not have been true.
Trying to actually sell the exploit to LinkedIn given all the other ways of selling evil code, was also going to be frowned upon by just about anyone. Usually researchers do the work, and then do it for name recognition, and only a few do it for profit.
While there are many information security conventions in the above statement, Linked In’s response is predictable, “oh sales, later”. While the company might have meant well, DeMott and company did not sell themselves, and took on a tactic more common from run of the mill hackers groups. Oh hey I have this vulnerability in your code, hire me and I’ll fix it, or I’ll sell you the hack.
Linked in was under no obligation to even listen to these folks if this is the tactic that they took. Most companies will hang up on those kinds of calls.
On the other side of that LinkedIn should have a security group that deals with just this very thing, people cold calling and offering sales/service on some supposed bug in their code. If you make a product, odds are most likely that there is going to be a flaw in the code somewhere. Linked in should have responded with the standard “show me the hack, show me the code” and then worked their way through the process, as Microsoft and others do.
Both companies took a bad approach which lead to irresponsible disclosure. The reality is that many web 2.0 companies are not geared to deal with groups or companies like DeMott, nor do they have a robust security review of their API’s, Toolbars, or other code sets.
Startups are known for pushing product, not for validating the security of that product. While it would be great if Startups would leverage the resources of other companies to do this kind of security review, they are too small to get the attention of the bigger companies. That leaves them vulnerable to the methods that DeMott and his company pulled. A method that might leave Web 2.0 companies cold, and leaving a researcher/hacker with a valid exploit thinking that they have nowhere to go but onto the internet with a potentially damaging zero day.
