Security researchers (some would say hackers – more on that below) have discovered a vulnerability in LinkedIn Internet Explorer Toolbar, which can be exploited to execute malicious code on a user’s system. Until such time as LinkedIn releases an update, users of the toolbar are advised to disable or uninstall it. This does not affect the vast majority of LinkedIn users, as the vulnerability only occurs if:
- You are using Internet Explorer, and
- The LinkedIn toolbar for IE is active, and
- You visit a malicious site with exploit code.
See the Secunia advisory for more details.
This case is bound to spark some ethical controversy, both in the security industry and regarding LinkedIn’s handling of the matter.
According to SC Magazine,? security researchers Jared DeMott and Justin Seitz discovered the vulnerability and contacted LinkedIn to inform them, but were hung up on by LinkedIn. Why? Because DeMott and Seitz charge for their services:
DeMott, who runs Rockford, Mich.-based VDA Labs with his partner Justin Seitz, said he called LinkedIn to either sell the bug or offer his company’s consulting services, like he does for any vendor impacted by a vulnerability discovered by DeMott or Seitz.
VDA Labs charges about $175 to $200 an hour for consulting and usually about $5,000 to purchase a significant zero-day flaw, DeMott said.
LinkedIn’s take on this seems to be that it’s a form of extortion:
Kay Luo, spokeswoman for LinkedIn, told SCMagazine.com today that the company does not respond to researchers looking to profit off vulnerabilities.
DeMott and Seitz don’t see it as extortion, though:
DeMott understands how companies such as LinkedIn may think of his and Seitz’s business model as questionable, but he said he is “not trying to do damage to them.”
“I see both sides of it,” he admitted “But I also see that as a researcher, I work hard days and nights to find these bugs. I think we deserve some compensation.”
When LinkedIn declined to respond, DeMott decided to release the vulnerability “0-day style”, i.e., publicly. His take? This is what’s in the best interest of the users, so that those at risk can protect themselves and the company is pressured to resolve it quickly.
So what’s your take on this? Helpful hacking? Or e-extortion? And what about LinkedIn’s response?