Zimperium Mobile Defence says that their testing found that LinkedIn users are at risk of Man-in-the-Middle Attacks:
What information is vulnerable?
Using basic MITM, we found that an attacker can extract a LinkedIn user’s credentials, hijack their session to gain access to all other LinkedIn information and impersonate the user. The following information is exposed, along with anything else that you, as a user, have access to:
- Email address
- Password
- Read and Sent Messages
- Connections
- “Who viewed my profile”
Attackers can impersonate the user to use any account feature, including:
- Send invitations to connect
- Edit the user’s profile
- Edit job postings
- Manage company pages
So not only is your personal LinkedIn information at risk, but also if you are an administrator for your corporate LinkedIn presence, your company’s brand reputation could also be damaged if a malicious actor were to gain control over posts and email communication on LinkedIn.
Who is vulnerable?
Every single user we tested was vulnerable to this attack. In addition, this vulnerability doesn’t just exist when an attacker is on the same network as the target – if an attacker has already compromised a device, once that device enters a different network, the attacker can use the victim’s device to attack other users on the same network.
Zimperium writes that they did notify LinkedIn of the vulnerability, and since May 2013, had reached out numerous times to LinkedIn. According to their statement, LinkedIn informed them that they were planning to turn on SSL by default, but it has not happened yet.
DataBreaches.net e-mailed LinkedIn for a response to Zimperium’s claims, and they provided this statement:
LinkedIn is committed to protecting the security of our members. In December 2013, we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in US and EU by default over HTTPS. This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default.
LinkedIn also noted that when contacted by the researchers, they responded by sharing updates on their blog about their HTTPS rollout which address the issue. In addition, their spokesperson notes, members have been able to turn on HTTPS by default by simply going to their settings, clicking the Account tab and then clicking manage security settings and checking the box and clicking “save changes”. At any time, they can turn off HTTPS by unchecking the box.
If you are not in the U.S. or EU and use LinkedIn, you might want to check to ensure you’ve enabled HTTPS by default.