LinkedIn has failed to address a security flaw for over a year that puts at risk the data of all of its over 300 million users and means that sensitive user information can be pilfered easily.
A report conducted by Zimperium Mobile Defense Security found a straightforward MITM attack that uses an SSL stripping technique allows hackers to steal user credentials and gain full control of an account.
“We have reached out to LinkedIn six times over the last year to bring this critical vulnerability to their attention and have urged them to improve their network security, but more than a year after disclosing the bug they have yet to implement a patch for this vulnerability,” read a release from Zimperium.
The information exposed by the flaw includes the user’s email address, password, messages, connections and “who viewed my profile”, and the hacker can hijack a session in order to gain access to all this information and impersonate the user.
Impersonating the user allows the hacker to do anything a regular user can such as send invitations to connect, read and send messages, edit the user profile and job postings, and manage company pages.
“Not only is your personal LinkedIn information at risk, but also, if you are an administrator for your corporate LinkedIn presence, your company’s brand reputation could also be damaged if a malicious actor were to gain control over posts and email communication on LinkedIn,” the firm added.
Every single user that was tested by Zimperium is open to the attack and it doesn’t just exist when an attacker is on the same network as the target. If an attacker has already compromised a device then once it enters a new network the attacker can use it to attack even more devices on the new network.
Since we published the story LinkedIn has been in touch and confirmed that it has shared updates with Zimperium on its HTTPS rollout that fixes the issue.
"In December 2013 we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in US and EU by default over HTTPS. This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default," a spokesperson from LinkedIn told ITProPortal.com.