Why “Just an XSS” Doesn’t Fly on Social Media


If you have been following the security industry for a while, you are probably familiar with the “it’s just a XSS” mentality of vulnerabilities and bugs. It’s the class of security issues that is often dealt with last, considering practitioners look for the “sexier” SQL injections and bugs that affect the application stack on a deeper level.

However, when you’re dealing with social networks, XSS suddenly becomes much more important. Scrap that, critical. If you don’t believe me, check out LinkedIn’s latest response to an XSS bug on their help forums. 13 minutes. That’s how quickly LinkedIn responded to Rohit Dua, the researcher that disclosed the vulnerability. Overall it took less than 3 hours to fix the bug and deploy the patch.

The reason XSS bugs are more dangerous on social is that every social network relies on its subscribers (and authors of its content) for revenue generation. An XSS vulnerability has the capability to spread virally across the network and wreak havoc on user’s profiles, both on the network and beyond. The ability to affect a user’s session on social networks gives attackers access to both personal as well as business assets. This level of access makes the social networks the adversary’s attack vector of choice. Earlier this year, Cisco reported that Facebook scams are the most common method for breaching an organization’s network.

Security teams have no controls around social media, especially compared to traditional channels such as email and web. Moreover, because social is an interactive (rather than asynchronous) method of communication, it combines the digital and social engineering methods of attack.

For the attacker, never have trust dynamics been so easy to exploit (not to mention the ease of impersonating an authority figure, covering your tracks after an attack, and obfuscating evidence). For the security team, social is dynamic and opaque. Consider also that this is where every organization’s people hang out, interact and click links. Expect to see a greater focus on these classes of vulnerabilities and bugs in the near future, especially when bug bounties reward researchers with cold, hard cash for these findings.