login-phishing

1 article
sort: new top best
clear filter
bug-bounty448 google355 microsoft313 facebook262 xss238 apple180 malware174 rce149 exploit124 bragging-post101 cve99 account-takeover93 phishing83 csrf79 privilege-escalation77 stored-xss65 supply-chain65 authentication-bypass63 dos60 reflected-xss57 browser57 react50 cloudflare49 reverse-engineering48 input-validation48 cross-site-scripting48 access-control47 smart-contract45 docker45 aws45 node44 ethereum43 web343 sql-injection43 web-security42 defi42 web-application41 ssrf38 burp-suite35 vulnerability-disclosure34 idor34 race-condition33 html-injection33 info-disclosure33 smart-contract-vulnerability32 writeup32 buffer-overflow32 cloud32 oauth32 information-disclosure30
0 8/10
Persistent XSS unvalidated open graph embed at linkedin.com
vulnerability

Jonathan Bouman discovered a persistent XSS vulnerability in LinkedIn's article embed feature by exploiting unvalidated Open Graph tags, specifically the og:video tag, to inject malicious HTML and create fake phishing login screens that could steal user credentials. The vulnerability leverages LinkedIn's content embedding functionality which processes Open Graph metadata without proper validation, allowing attackers to inject arbitrary content into iframes on LinkedIn articles.

persistent-xss open-graph oembed html-injection phishing embed-manipulation login-phishing iframe-breakout responsible-disclosure bug-bounty linkedin
Jonathan Bouman LinkedIn YouTube Medium Twitter Vimeo Wordpress SnappySnippet Burp Suite
medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 20 hours ago · details