LinkedIn accounts can easily be taken over if HTTPS is not always enabled by default

Share this article:
LinkedIn accounts can easily be taken over if HTTPS is not always enabled by default
An attacker can compromise any LinkedIn account if HTTPS is not always enabled by default.

Any LinkedIn user not serving all traffic over HTTPS by default could ultimately have their account taken over in a man-in-the-middle (MitM) attack provided they are on the same network as the attacker.

The MitM attack can happen if LinkedIn redirects users to HTTP following a successful login via HTTPS; however, it is "SSL stripping," a technique that changes HTTPS traffic to HTTP traffic, that enables a bad actor to see a user's session, and credentials, in plaintext, Zuk Avraham, founder and CEO of Zimperium, told SCMagazine.com in a Thursday email correspondence.

This enables interception of email addresses, passwords, read and sent messages, and connections, Avraham wrote in a Wednesday post, adding that attackers could take it a step further and edit user profiles, edit job postings, manage company pages, and send invitations to connect with others.

This is a particularly dangerous attack – which also impacts LinkedIn's mobile website, though not its mobile app – because even an unseasoned attacker can carry it out, Avraham said.

Avraham used Zimperium's zANTI penetration testing mobile app, which enables MitM attacks and SSL stripping, but he said that any other toolkit – such as Cain & Abel, Dsploit, Ettercap, and Arpspoof – can be downloaded for free to do essentially the same thing.

“There are several different ways to prevent SSL stripping,” Avraham said. “For example, the website owner can prevent these attacks by ensuring HTTPS is always enabled by default, and not just during login.”

Enabling HTTPS by default is an initiative LinkedIn began undertaking at the end of last year, but the business-oriented social network only began serving it up to U.S. and EU members last week – and Zimperium initially notified LinkedIn about the issue in May 2013, the Zimperium post indicates.

“This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default,” a LinkedIn spokesperson wrote in a statement emailed Thursday to SCMagazine.com.

Expect to see an increase in these types of attacks, particularly as the number of unsecured hotspots continues to rise, Avraham said, adding that a security defense solution should always be used on any device when connecting to public Wi-Fi.

“Too many people think that anti-virus software will protect them, but it won't, not against these types of attacks,” Avraham said. “Unfortunately, there is not an easy manner for an end user to know their device is being compromised.”

Share this article:

Sign up to our newsletters

More in News

Medical transcription provider settles data security charges

GMR Transcription Services in California agreed to settle FTC charges related to its security practices.

Researcher hacks network connected devices in own home

Researcher hacks network connected devices in own home

In his own home, a researcher was able to hack various network connected devices that are not computers and mobile phones.

Study: Most higher ed malware infections attributed to 'Flashback'

Study: Most higher ed malware infections attributed to ...

Flashback caused a stir in 2012 when some 650,000 Macs were infected with the malware.