Pierluigi Paganini
July 24, 2015
In November 2014, Kaspersky’s researchers warned LinkedIn about a security flaw that could put at risk their 360 million users. This was a big concern at the time because LinkedIn has many people from the business area, and any security flaw that makes it spear phishing easier and efficient to execute.
The big risk is that with a specially crafted spear phishing campaign a crook can steal credentials and most probably gain control of their victim’s assets, doing all this without the need of social engineering.
At the time, LinkedIn fixed the vulnerability and said: “While certain HTML content should be restricted and we have issued a fix and thanked Kaspersky researchers; the likelihood of exploit on popular modern email platforms is unlikely.”
Using the words of SecureList, “Researchers found the vulnerability after noticing escape character differences when posting comments from different devices in various posts. The second alert was a malfunction in the platform’s back-end parser that simply interpreted a CRLF (“Enter” keystroke) to an HTML tag <br />, appending it to the post as text. The two were not connected to each other, but they both raised important questions.”
It is evident that there is the risk to underestimate the security issue and at the same time the crooks could be interested to launch a malicious campaign against the popular platform.
People were puzzled since they couldn’t understand what was going on, but for sure something wasn’t right, investigators could partial imitate the behavior of escape character but they weren’t able to bypass the anti-Cross-site Scripting XSS, but eventually investigators had a breakthrough and discover something:
However, what does this means? Is LinkedIn vulnerable?
To be able to provide an answer to the question let’s make two tests.
Before explaining the tests, keep in mind that every time that you comment a post, you will receive notifications via e-mail when other users reply to the same post.
Now see the same comment, when someone commented a post from the LinkedIn website:
Now when that person does the same comments but from the mobile application:
What does this prove? It proves that LinkedIn was using two different email platforms, and that the one used by the mobile application could be used to deliver a malicious payload.
Another good example how the fixed vulnerability could be exploited at the time.
This is would it would look a comment when you see it directly in LinkedIn:
Now see the same comment when received my mail:
This means that the crook could use the flaw to inject malicious code, to redirect you to a malicious site to serve a malware
or just to steal user’s credentials.
Mitigation
As I said, in the beginning of the article LinkedIn fixed this issue, but crooks use LinkedIn to get valuable information about their victims, so be careful and always keep some tips in mind:
The history can teach us lessons, and avoid future problems, so be careful with the connections you accept, and share your personal/Working details, because that ca be used for good but also for bad, and with the right piece of information, crooks can “open some doors”.
About the Author Elsio Pinto
(Security Affairs – LinkedIn, Spear Phishing)
Data Breach / November 21, 2024
