Hacking Hackers for fun and profit

This story will be in several parts. In each of the situations, I had to face unexpected results. By and large, these are stories that have arisen from the exploitation of the XSS vulnerability in wildlife. I hope you find something useful in these stories.

Self XSS as a Critical Vulnerability

Many of you know that there are several types of XSS vulnerabilities. And most of you will think that Self XSS is hard to consider a valid vulnerability. Especially to be accepted on the bug bounty. Moreover, almost no one can believe that the Self XSS can become a critical problem. But one day it did.

A few years ago I decided to update my LinkedIn profile and just out of curiosity I put a Blind XSS in the skills area of my profile.

Nothing happened for a year. But a year later I got a very interesting result. I got a huge list of people from the security industry for my region in the XSS Hunter panel. There were names, addresses, and phone numbers. All the things you could call PII Data. And the surprising thing was something else. The javascript execution didn’t happen somewhere on Linkedin’s own internal systems. It happened…