Are you a LinkedIn user? If you are then this story may be of interest to you. Security researchers at Zimperium Mobile Threat Defence, claim to have discovered a Zero-day vulnerability in the online business networking platform, LinkedIn, that potentially exposes its users to data loss and account hijacking by way of a man-in-the-middle (MitM) attack. MitM cyber-attacks allow third-parties to exploit vulnerabilities by surreptitiously inserting themselves into what are thought to be securely encrypted communications streams and intercepting sensitive data.
Why is this discovery such bad news for LinkedIn? Well, mainly because this isn’t the first time the professional networking site has fallen prey to hacking. Back in 2012 millions of users had their accounts hacked and their passwords compromised. In response to that attack Linked spent a large amount of money on forensic work, however it would appear that there are vulnerabilities that still need addressing. What might prove to be even more damaging for the company is the fact that this latest threat was flagged up by Zimperium over a year ago, yet LinkedIn failed to act on the information.
So what exactly have the researchers at Zimperium discovered? Well, the problem revolves around the way LinkedIn uses Secure Sockets Layer (SSL) encryption in its network. The poor implementation of HTTPS/SSL allows a hacker to intercept a user’s communication by replacing all “HTTPS” (HTTP Strict Transport Security (HSTS) technology) requests with its non-encrypted form, “HTTP”. According to the researchers SSL stripping attacks could potentially leave the email addresses, passwords, messages of hundreds of millions of LinkedIn users compromised. Zimperium’s researchers claim in a blog post:
“Through a relatively straightforward MITM attack that leverages an SSL stripping technique, hackers can steal a user’s credentials and gain full control of the user’s account. Given the severity of this threat, it’s the security community’s responsibility to raise awareness, educate the public and urge these vulnerable companies to protect users’ data.”
“Using basic MITM, we found that an attacker can extract a LinkedIn user’s credentials, hijack their session to gain access to all other LinkedIn information and impersonate the user. Not only is your personal LinkedIn information at risk, but also if you are an administrator for your corporate LinkedIn presence, your company’s brand reputation could also be damaged if a malicious actor were to gain control over posts and email communication on LinkedIn.”
“We have reached out to LinkedIn six times over the last year to bring this critical vulnerability to their attention and have urged them to improve their network security, but more than a year after disclosing the bug they have yet to implement a patch for this vulnerability,” the researchers said.
The team also found that LinkedIn’s mobile website is vulnerable as well, but concluded that the platform’s mobile application was not, and they recommend users manually engage the HTTPS option in their setting as opposed to relying on LinkedIn’s default setting.
If you are concerned about the escalating security challenges facing businesses today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping you assess your security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.
Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions, please contact Krypsys on 01273 044072 or [email protected].