Khalil Shreateh, a self-professed IT expert from Palestine, hit the headlines four years ago when he hacked Facebook CEO Mark Zuckerberg’s wall. Shreateh was frustrated that Facebook was ignoring a big security flaw, so demonstrating it on Zuckerberg’s own Facebook wall was an easy way to get the company to act. Shreateh discovered a security flaw in LinkedIn last month, and he reached out to The Verge after becoming frustrated that the company was ignoring his report — just like four years ago.
The flaw worked by smuggling more complex code into images hosted on the service. By altering the source value of a posted image, an attacker could execute a remote script when the user clicked on the picture. In the most troubling version of the exploit, the attacker could disguise that script as a LinkedIn authentication prompt, which could potentially trick users into sharing their password. The authentication prompt would even automatically pop up if a LinkedIn user simply visited the post and was logged out of the service. LinkedIn patched the flaw after being contacted by The Verge.