I was invited to publish on LinkedIn.
I wondered how good is LinkedIn at multi-byte UTF-8 support (fixed some bugs recently in Liferay related to escaping and surrogate pairs) and noticed a strange thing.
When processing URLs, LinkedIn exchanges escaped characters with their unescaped form = removes the escaping.
" → "
Then it was easy to create some vectors to try the stored XSS:
June 17, 2014 10:43 PM CEST – Reported to Linkedin Security Team
June 17, 2014 11:09 PM CEST – ACKed they received it
June 18, 2014 01:04 AM CEST – Reproduced
June 19, 2014 04:12 AM CEST – Got email that it's fixed
After this I was a bit scared so I quickly looked also at other LinkedIn features that I use. And found another vulnerability in the feature I trust and would be a good victim for :/
But, for now, please stay tuned until they fix it. You know, I'm the white-hat = harmless ;)