Slow rollout of SSL places users of LinkedIn at risk research says

According to research, users of LinkedIn could be vulnerable to Man-in-the-Middle (MITM) attacks, leading to account and personal information compromise.

San Francisco-based Zimperium, a firm that deals with mobile security, reported the problems to the social network more than a year ago, but the issue still exists.

In a timeline of events shared with Salted Hash, Zimperium contacted LinkedIn six times over the last year, but the firm would only share basic information, such as how the planned deployment of SSL across the LinkedIn network would fix the problem.

In a statement, Zimperium said that with a relatively straightforward MITM attack, leveraging SSL stripping, it’s possible to extract LinkedIn credentials, hijack sessions (gaining access to other LinkedIn information on the account), and impersonate the user.

The impersonation aspect of this situation could lead to other problems, including Phishing attacks or passive social enginieering. However, that is in addition to all of the other access violations, because an attacker in this case would have the full permissions granted to the compromised profile – including admin rights on groups and company pages.

“Every single user we tested was vulnerable to this attack. In addition, this vulnerability doesn’t just exist when an attacker is on the same network as the target – if an attacker has already compromised a device, once that device enters a different network, the attacker can use the victim’s device to attack other users on the same network,” Zimperium explained.

To prove their claims, Zimperium used their own tools and accounts, but the process isn’t overly complex to an informed attacker armed with the proper software.

Over the years, professional penetration testing tools and software packages have perfected MITM attacks, especially if an attacker can monitor the network. In this scenario, LinkedIn users accessing their profiles in a public setting, such as a coffee shop, airport lounge, or conference, are especially at risk.

In a statement, LinkedIn said that the issue doesn’t impact all of its users, only some of them.

“LinkedIn is committed to protecting the security of our members. In December 2013 we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in US and EU by default over HTTPS. This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default.”

Responding to the the statement, Zimperium said while they’re pleased that LinkedIn is implementing SSL by default, “are still seeing many instances of this new setting not being enabled on existing or new LinkedIn accounts in the US and Europe.”

“Our initial test suggests for existing accounts that deleting authentication cookies still resident in a user’s browser might fix this issue, however this has not been consistently the case.”

One possible mitigation is to enable secure connections.

Under Account & Settings, click review next to Privacy & Settings and go to Account. From there, click Manage Security Settings and then enable Secure Connection.