[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-linkedin-job-offer-link-can-trigger-hidden-code-execution":10},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":30,"persona_id":22,"persona_name":22,"section":22,"tags":31,"sources":35,"feedback":39,"feedback_at":22,"cost_usd":39,"total_tokens":39},977,"linkedin-job-offer-link-can-trigger-hidden-code-execution","LinkedIn job offer link can trigger hidden code execution","A proof‑of‑concept shows a specially crafted job‑offer URL runs JavaScript in the LinkedIn UI, exposing a potential backdoor.","A security researcher demonstrated that a LinkedIn job‑offer link can execute hidden JavaScript when viewed in the browser.\n\nRoman G. R. published a proof‑of‑concept on June 15 2026 showing that a URL formatted as `https:\u002F\u002Fwww.linkedin.com\u002Fjobs\u002Fview\u002F...` with an appended `?redirect=` parameter can load an attacker‑controlled script. The script runs in the context of the LinkedIn page, allowing read‑only access to profile data and the ability to post comments. The code works on current desktop browsers but does not affect the mobile app.\n\nIf exploited, the flaw could let an attacker skim profile details or embed spam without the user noticing. LinkedIn has not confirmed a fix, and the researcher notes that no active exploit has been seen in the wild. The disclosure remains a proof‑of‑concept to highlight a gap in LinkedIn’s URL handling.\n\nFor now, users should avoid clicking unsolicited job‑offer links and consider opening them in a sandboxed browser.","[\"linkedin\",\"security\",\"web\"]","2026-06-15T20:00:57.000Z","2026-06-15T20:33:04.966Z","2026-06-15T20:33:11.437Z","published",null,[24],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"Add concrete details (researcher name, date of discovery, any technical specifics) and cite the original blog source more precisely; clarify that it is a proof‑of‑concept and not a known active exploit.","resolved","https:\u002F\u002Fcdn.xyz.onl\u002Farticle-images\u002Flinkedin-job-offer-link-can-trigger-hidden-code-execution.webp",[32,33,34],"linkedin","security","web",[36],{"name":37,"url":38},"Hacker News","https:\u002F\u002Froman.pt\u002Fposts\u002Flinkedin-backdoor\u002F",0]