DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

LinkedIn vulnerability to MITM attacks puts your data at risk – Zimperium

Posted on June 19, 2014 by Dissent

Zimperium Mobile Defence says that their testing found that LinkedIn users are at risk of Man-in-the-Middle Attacks:

What information is vulnerable?
Using basic MITM, we found that an attacker can extract a LinkedIn user’s credentials, hijack their session to gain access to all other LinkedIn information and impersonate the user. The following information is exposed, along with anything else that you, as a user, have access to:

  • Email address
  • Password
  • Read and Sent Messages
  • Connections
  • “Who viewed my profile”

Attackers can impersonate the user to use any account feature, including:

  • Send invitations to connect
  • Edit the user’s profile
  • Edit job postings
  • Manage company pages

So not only is your personal LinkedIn information at risk, but also if you are an administrator for your corporate LinkedIn presence, your company’s brand reputation could also be damaged if a malicious actor were to gain control over posts and email communication on LinkedIn.

Who is vulnerable?

Every single user we tested was vulnerable to this attack. In addition, this vulnerability doesn’t just exist when an attacker is on the same network as the target – if an attacker has already compromised a device, once that device enters a different network, the attacker can use the victim’s device to attack other users on the same network.

Zimperium writes that they did notify LinkedIn of the vulnerability, and since May 2013, had reached out numerous times to LinkedIn. According to their statement, LinkedIn informed them that they were planning to turn on SSL by default, but it has not happened yet.

DataBreaches.net e-mailed LinkedIn for a response to Zimperium’s claims, and they provided this statement:

LinkedIn is committed to protecting the security of our members. In December 2013,  we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in US and EU by default over HTTPS. This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default.

LinkedIn also noted that when contacted by the researchers, they responded by sharing updates on their blog about their HTTPS rollout which address the issue. In addition, their spokesperson notes, members have been able to turn on HTTPS by default by simply going to their settings, clicking the Account tab and then clicking manage security settings and checking the box and clicking “save changes”. At any time, they can turn off HTTPS by unchecking the box.

If you are not in the U.S. or EU and use LinkedIn, you might want to check to ensure you’ve enabled HTTPS by default.

 

Related posts:

  • Ransomware Resources for HIPAA Regulated Entities
Category: Business SectorCommentaries and Analyses

Post navigation

← AT&T Mobility reports breach involving service provider employees
House Oversight asks Inspector General of the FTC to investigate FTC’s actions in LabMD case →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.