An NFN8 Media publication.
«  
  »

LinkedIn Toolbar Vulnerability Alert

By Scott Allen, on July 25th, 2007

776465_warning_3.jpgSecurity researchers (some would say hackers – more on that below) have discovered a vulnerability in LinkedIn Internet Explorer Toolbar, which can be exploited to execute malicious code on a user’s system. Until such time as LinkedIn releases an update, users of the toolbar are advised to disable or uninstall it. This does not affect the vast majority of LinkedIn users, as the vulnerability only occurs if:

  1. You are using Internet Explorer, and
  2. The LinkedIn toolbar for IE is active, and
  3. You visit a malicious site with exploit code.

See the Secunia advisory for more details.

This case is bound to spark some ethical controversy, both in the security industry and regarding LinkedIn’s handling of the matter.

According to SC Magazine,? security researchers Jared DeMott and Justin Seitz discovered the vulnerability and contacted LinkedIn to inform them, but were hung up on by LinkedIn. Why? Because DeMott and Seitz charge for their services:

DeMott, who runs Rockford, Mich.-based VDA Labs with his partner Justin Seitz, said he called LinkedIn to either sell the bug or offer his company’s consulting services, like he does for any vendor impacted by a vulnerability discovered by DeMott or Seitz.

VDA Labs charges about $175 to $200 an hour for consulting and usually about $5,000 to purchase a significant zero-day flaw, DeMott said.

LinkedIn’s take on this seems to be that it’s a form of extortion:

Kay Luo, spokeswoman for LinkedIn, told SCMagazine.com today that the company does not respond to researchers looking to profit off vulnerabilities.

DeMott and Seitz don’t see it as extortion, though:

DeMott understands how companies such as LinkedIn may think of his and Seitz’s business model as questionable, but he said he is “not trying to do damage to them.”

“I see both sides of it,” he admitted “But I also see that as a researcher, I work hard days and nights to find these bugs. I think we deserve some compensation.”

When LinkedIn declined to respond, DeMott decided to release the vulnerability “0-day style”, i.e., publicly. His take? This is what’s in the best interest of the users, so that those at risk can protect themselves and the company is pressured to resolve it quickly.

So what’s your take on this? Helpful hacking? Or e-extortion? And what about LinkedIn’s response?

 

LinkedIn News, Using LinkedIn
«  
  »

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv Enabled

«  
  »

Featured Offers

The LinkedIn Blogosphere

These Are A Few Of My Favorite Linked Things
30/08/10 The LinkedIn Personal Trainer
If you haven’t guessed, I’m working through the lyrics of the video – because in order to make it in, I really did have to think highly of each favorite thing;-) This line gives me a chance to reflect… By the numbers..

Is LinkedIn Broken… or is it just a TOOL?
30/08/10 I'm On LinkedIn - Now What???
I read this post a few days ago: My Problem with LinkedIn . The author ( Tom Nixon ) presents the idea that it's not really “the social network's fault,” it's really our fault because we are using it wrong. Tom suggests there a..

Wonderful Coworkers Recommending
27/08/10 The LinkedIn Personal Trainer
Some skeptics seem to think that LinkedIn recommendations are not worthwhile, but to me – they’re golden. As I mentioned last post – if you’re connecting to people you know, the things they write will absolutely supp..

What do recruiters think about LinkedIn?
25/08/10 I'm On LinkedIn - Now What???
I'm always intrigued to see how a specific group uses or thinks about a tool. Job seekers think about LinkedIn a certain way, while wondering if their target audience (hiring managers, business owners, recruiters, HR) will find them and se..

Warm Friendly Tweeters
24/08/10 The LinkedIn Personal Trainer
I’m new to the twitter world, but definitely enjoy seeing good tweets coming through LinkedIn. If you’re connecting to people you know, the twitter connection makes it easy to keep everyone aware of what’s going on. But yo..

LinkedIn for iPhone 3.2: Where Are They Now?
20/08/10 The LinkedIn Blog
Keeping track of what your connections are doing professionally is one of the most important things we offer to our members at LinkedIn.   We’re excited to announce LinkedIn for iPhone 3.2, because we’ve made it easier than ever to stay up..

Groups With Nice Members
19/08/10 The LinkedIn Personal Trainer
Group functionality has come a long way on LinkedIn since the early days, and one of the aspects that is a must for successful group interactions and livelihood is the attitude of members. Let’s look at some of the ways it might be on..

QvQ: Quality vs. Quantity: The Great LinkedIn Debate
18/08/10 I'm On LinkedIn - Now What???
I just saw a blog post by VirtualJobCoach (the first competitor I had with JibberJobber, and some very good people ) titled “ The Trouble with LinkedIn: Bigger is not better ” In the post they argue that if you get a bigger net..

Any Instances of Fake LinkedIn Email?
16/08/10 The LinkedIn Personal Trainer
I’ve been reading on some supposed email that uses the look of LinkedIn invitations to get by spam/threat filters. Have you actually seen any?!? Not from LinkedIn Clearly LinkedIn is not in any way shape or form connected to these mes..

New and improved moderation features for LinkedIn Groups
13/08/10 The LinkedIn Blog
Since its roll out at the end of June, the new groups interface has already significantly increased member participation, measured by user comments and visits to Groups. We’ve also been listening to user feedback from many of our active gr..

Powered by Feed Informer