News
Published on June 19th, 2014 📆 | 8334 Views ⚑
Millions of LinkedIn Users at Risk of Man-in-the-Middle Attack
Powered by iSpeech
The popular professional network, LinkedIn has left hundreds of millions of its users exposed to Man-in-the-Middle (MitM) attack due to the way the site uses Secure Sockets Layer (SSL) encryption in its network.
No doubt, LinkedIn is using HTTPS connection for user login pages, but they are not using HTTP Strict Transport Security (HSTS) technology that prevents any communications from being sent over HTTP, instead send all communications over HTTPS.
According to researchers at Israel-based Zimperium Mobile Threat Defence, the poor implementation of HTTPS/SSL allows a hacker to intercept a userâs communication by replacing all âHTTPSâ requests with its non-encrypted form, âHTTPâ, known as âSSL strippingâ attack.
âOnce the attacker has extracted a userâs credentials, they can reuse the userâs credentials or session cookies to authenticate and forge the exact session,â reads the blog post.
[adsense size='1']
In avideo demonstration, researchers have practically used this tool against LinkedIn website and as a result of SSL stripping, they intercepted one of its usersâ account by a MITM attack and successfully grabbed usersâ account information and every single user they tested was vulnerable to this attack.
By attempting MitM attack against the website, an attacker can grab a LinkedIn userâs credentials, hijack their session to gain access to all other LinkedIn information and impersonate the user. Attackers could do multiple things including:
- Email address
- Password
- Read and Sent Messages
- Connections
- âWho viewed my profileâ
Attackers can impersonate the user to use any account feature, including:
- Send invitations to connect
- Edit the userâs profile
- Edit job postings
- Manage company pages
âSo not only is your personal LinkedIn information at risk, but also if you are an administrator for your corporate LinkedIn presence, your companyâs brand reputation could also be damaged if a malicious actor were to gain control over posts and email communication on LinkedIn,â reads the blog post.
[adsense size='1']
Moreover, this vulnerability in the LinkedIn doesn't just exist when a potential attacker is on the same network as the targeted victim.
To perform MITM attack remotely, an attacker can compromise a device and once that device enters a different network, the same attacker can use the victimâs device remotely to perform man-in-the-middle attack on other users on the victimâs network.
Researchers from Zimperium first responsibly reported this critical âsession hijackingâ vulnerability to the LinkedIn security team in May 2013. Despite, reaching out to LinkedIn six times over the last year, the team have not responded seriously.
Later from December 2013, LinkedIn started transition of the website to default HTTPS and just last week they have successfully upgraded US and European users to
Default HTTPS Network. Because of slow implementation of default SSL, Zimperium finally rolled out the disclosure of the vulnerability publically.
LinkedIn spokeswoman Nicole Leverich said the issue described by Zimperium âdoes not impact the vast majority of LinkedIn members given our ongoing global release of https by default.â
However, In 2012, LinkedIn offers its users an option to change their security settings to full HTTPS manually, but many might not have known about it. You can enable it by going into your LinkedIn settings, Open âaccountâ tab and Click âmanage security settingsâ to select Full HTTPS.
Tagged with: attack ⢠linkedin ⢠middle ⢠millions ⢠users
Gloss