Security researchers have disclosed the discovery of a zero-day vulnerability in the online business networking platform LinkedIn that exposes its users to data loss and account hijacking by way of a man-in-the-middle (MITM) attack.
“Through a relatively straightforward MITM attack that leverages an SSL stripping technique, hackers can steal a user’s credentials and gain full control of the user’s account,” the researchers reported. “Given the severity of this threat, it’s the security community’s responsibility to raise awareness, educate the public and urge these vulnerable companies to protect users’ data.”
Man-in-th-Middle attack vulnerabilities allow a third-party to surreptitiously insert themselves into what is believed to be a securely encrypted communications stream where they can intercept sensitive data and even impersonate either party in the exchange.
“Using basic MITM, we found that an attacker can extract a LinkedIn user’s credentials, hijack their session to gain access to all other LinkedIn information and impersonate the user,” the researchers explained. “Not only is your personal LinkedIn information at risk, but also if you are an administrator for your corporate LinkedIn presence, your company’s brand reputation could also be damaged if a malicious actor were to gain control over posts and email communication on LinkedIn.”
The team also found that LinkedIn’s mobile website is vulnerable as well, but concluded that the platform’s mobile application was not, and they recommend users manually engage the HTTPS option in their setting as opposed to relying on LinkedIn’s default setting.
LinkedIn has apparently been aware of the vulnerability for as long as a year, according to the researchers, who also say they believe the flaw is actively being exploited by attackers in the wild.
“We have reached out to LinkedIn six times over the last year to bring this critical vulnerability to their attention and have urged them to improve their network security, but more than a year after disclosing the bug they have yet to implement a patch for this vulnerability,” the researchers said.
“LinkedIn’s vulnerability to cyber attacks threatens its millions of users — as personal data like email addresses, passwords, messages and more are vulnerable to be compromised by malicious actors.”
Read More Here…