Published on June 19th, 2014 📆 | 4333 Views ⚑
Millions of LinkedIn Users at Risk of Man-in-the-Middle Attack
Powered by iSpeech
The popular professional network, LinkedIn has left hundreds of millions of its users exposed to Man-in-the-Middle (MitM) attack due to the way the site uses Secure Sockets Layer (SSL) encryption in its network.
No doubt, LinkedIn is using HTTPS connection for user login pages, but they are not using HTTP Strict Transport Security (HSTS) technology that prevents any communications from being sent over HTTP, instead send all communications over HTTPS.
According to researchers at Israel-based Zimperium Mobile Threat Defence, the poor implementation of HTTPS/SSL allows a hacker to intercept a user’s communication by replacing all “HTTPS” requests with its non-encrypted form, “HTTP”, known as “SSL stripping” attack.
“Once the attacker has extracted a user’s credentials, they can reuse the user’s credentials or session cookies to authenticate and forge the exact session,” reads the blog post.
In avideo demonstration, researchers have practically used this tool against LinkedIn website and as a result of SSL stripping, they intercepted one of its users’ account by a MITM attack and successfully grabbed users’ account information and every single user they tested was vulnerable to this attack.
By attempting MitM attack against the website, an attacker can grab a LinkedIn user’s credentials, hijack their session to gain access to all other LinkedIn information and impersonate the user. Attackers could do multiple things including:
- Email address
- Read and Sent Messages
- “Who viewed my profile”
Attackers can impersonate the user to use any account feature, including:
- Send invitations to connect
- Edit the user’s profile
- Edit job postings
- Manage company pages
“So not only is your personal LinkedIn information at risk, but also if you are an administrator for your corporate LinkedIn presence, your company’s brand reputation could also be damaged if a malicious actor were to gain control over posts and email communication on LinkedIn,” reads the blog post.
Moreover, this vulnerability in the LinkedIn doesn't just exist when a potential attacker is on the same network as the targeted victim.
To perform MITM attack remotely, an attacker can compromise a device and once that device enters a different network, the same attacker can use the victim’s device remotely to perform man-in-the-middle attack on other users on the victim’s network.
Researchers from Zimperium first responsibly reported this critical ‘session hijacking’ vulnerability to the LinkedIn security team in May 2013. Despite, reaching out to LinkedIn six times over the last year, the team have not responded seriously.
Later from December 2013, LinkedIn started transition of the website to default HTTPS and just last week they have successfully upgraded US and European users to Default HTTPS Network
. Because of slow implementation of default SSL, Zimperium finally rolled out the disclosure of the vulnerability publically.
LinkedIn spokeswoman Nicole Leverich said the issue described by Zimperium “does not impact the vast majority of LinkedIn members given our ongoing global release of https by default.”
However, In 2012, LinkedIn offers its users an option to change their security settings to full HTTPS manually, but many might not have known about it. You can enable it by going into your LinkedIn settings, Open “account” tab and Click “manage security settings” to select Full HTTPS.