DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

LinkedIn vulnerability to MITM attacks puts your data at risk – Zimperium

Posted on June 19, 2014 by Dissent

Zimperium Mobile Defence says that their testing found that LinkedIn users are at risk of Man-in-the-Middle Attacks:

What information is vulnerable?
Using basic MITM, we found that an attacker can extract a LinkedIn user’s credentials, hijack their session to gain access to all other LinkedIn information and impersonate the user. The following information is exposed, along with anything else that you, as a user, have access to:

  • Email address
  • Password
  • Read and Sent Messages
  • Connections
  • “Who viewed my profile”

Attackers can impersonate the user to use any account feature, including:

  • Send invitations to connect
  • Edit the user’s profile
  • Edit job postings
  • Manage company pages

So not only is your personal LinkedIn information at risk, but also if you are an administrator for your corporate LinkedIn presence, your company’s brand reputation could also be damaged if a malicious actor were to gain control over posts and email communication on LinkedIn.

Who is vulnerable?

Every single user we tested was vulnerable to this attack. In addition, this vulnerability doesn’t just exist when an attacker is on the same network as the target – if an attacker has already compromised a device, once that device enters a different network, the attacker can use the victim’s device to attack other users on the same network.

Zimperium writes that they did notify LinkedIn of the vulnerability, and since May 2013, had reached out numerous times to LinkedIn. According to their statement, LinkedIn informed them that they were planning to turn on SSL by default, but it has not happened yet.

DataBreaches.net e-mailed LinkedIn for a response to Zimperium’s claims, and they provided this statement:

LinkedIn is committed to protecting the security of our members. In December 2013,  we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in US and EU by default over HTTPS. This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default.

LinkedIn also noted that when contacted by the researchers, they responded by sharing updates on their blog about their HTTPS rollout which address the issue. In addition, their spokesperson notes, members have been able to turn on HTTPS by default by simply going to their settings, clicking the Account tab and then clicking manage security settings and checking the box and clicking “save changes”. At any time, they can turn off HTTPS by unchecking the box.

If you are not in the U.S. or EU and use LinkedIn, you might want to check to ensure you’ve enabled HTTPS by default.

 

Category: Business SectorCommentaries and Analyses

Post navigation

← AT&T Mobility reports breach involving service provider employees
House Oversight asks Inspector General of the FTC to investigate FTC’s actions in LabMD case →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
  • Call for Public Input: Essential Cybersecurity Protections for K-12 Schools (2025-26 SY)
  • Cyberattack puts healthcare on hold for hundreds in St. Louis metro
  • Europol: DDoS-for-hire empire brought down: Poland arrests 4 administrators, US seizes 9 domains

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants
  • DOGE aims to pool federal data, putting personal information at risk
  • Privacy concerns swirl around HHS plan to build Medicare, Medicaid database on autism

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.