LinkedIn accounts can easily be taken over if HTTPS is not always enabled by default
An attacker can compromise any LinkedIn account if HTTPS is not always enabled by default.
Any LinkedIn user not serving all traffic over HTTPS by default could ultimately have their account taken over in a man-in-the-middle (MitM) attack provided they are on the same network as the attacker.
The MitM attack can happen if LinkedIn redirects users to HTTP following a successful login via HTTPS; however, it is "SSL stripping," a technique that changes HTTPS traffic to HTTP traffic, that enables a bad actor to see a user's session, and credentials, in plaintext, Zuk Avraham, founder and CEO of Zimperium, told SCMagazine.com in a Thursday email correspondence.
This enables interception of email addresses, passwords, read and sent messages, and connections, Avraham wrote in a Wednesday post, adding that attackers could take it a step further and edit user profiles, edit job postings, manage company pages, and send invitations to connect with others.
This is a particularly dangerous attack – which also impacts LinkedIn's mobile website, though not its mobile app – because even an unseasoned attacker can carry it out, Avraham said.
Avraham used Zimperium's zANTI penetration testing mobile app, which enables MitM attacks and SSL stripping, but he said that any other toolkit – such as Cain & Abel, Dsploit, Ettercap, and Arpspoof – can be downloaded for free to do essentially the same thing.
“There are several different ways to prevent SSL stripping,” Avraham said. “For example, the website owner can prevent these attacks by ensuring HTTPS is always enabled by default, and not just during login.”
Enabling HTTPS by default is an initiative LinkedIn began undertaking at the end of last year, but the business-oriented social network only began serving it up to U.S. and EU members last week – and Zimperium initially notified LinkedIn about the issue in May 2013, the Zimperium post indicates.
“This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default,” a LinkedIn spokesperson wrote in a statement emailed Thursday to SCMagazine.com.
Expect to see an increase in these types of attacks, particularly as the number of unsecured hotspots continues to rise, Avraham said, adding that a security defense solution should always be used on any device when connecting to public Wi-Fi.
“Too many people think that anti-virus software will protect them, but it won't, not against these types of attacks,” Avraham said. “Unfortunately, there is not an easy manner for an end user to know their device is being compromised.”