LinkedIn fails to fix MitM vulnerability for 12 months
LinkedIn facing £3 million lawsuit, as member claims negligence over password breach
A flaw on the server side of LinkedIn, the business social networking service, has been open for around 12 months - despite no fewer than six warnings to the service by a security researcher.
The problem stems from the configuration of SSL (Secure Sockets Layer) connections that can open up users to a man-in-the-middle (MitM) attack.
MitM attacks are where a third party - usually a cybercriminal - transparently intercepts the IP data stream, and then relays the data to its destination.
Both ends of the link are usually unaware of the problem, whilst the criminals quietly harvest all manner of information from the user, such as IDs and passwords, as well as financial credentials for online banking services.
The good news is that the default settings for most UK, EU and US users - which normally enable an HTTPS connection - appear to be okay, but users outside of these areas, including those corporates who route their IP traffic through a system at headquarters, may be open to a MitM-driven data harvesting attack.
According to Zimperium Mobile Defence Security - which discovered what it calls a `a straightforward MITM attack' that uses an SSL stripping technique - the flaw can also allow cybercriminals to gain access to the users' LinkedIn Account.
Zuk Avraham, the head of Zimperium, says that users outside Europe and the US who do not tick a box to activate optional HTTPS beyond the login screen are vulnerable to the attack.
"Through a relatively straightforward MITM attack that leverages an SSL stripping technique, hackers can steal a user's credentials and gain full control of the user's account," he said, adding that his team has reached out to LinkedIn six times over the last year to bring the critical vulnerability to its attention - and have urged them to improve their network security, to no effect.
"When the victim types email and password, it'll be sent over the network in an unencrypted form that can be easily read by any attacker – even the most amateur ones," he explained.
Interestingly, the problem of MitM attacks is not just limited to LinkedIn, as Zimperium says that many of today's largest Web sites and social networks still haven't taken the necessary steps to protect users' sensitive data from vulnerabilities that magnify the damage of this type of attack.
"LinkedIn is one of these Web sites. Through a relatively straightforward MITM attack that leverages an SSL stripping technique, hackers can steal a user's credentials and gain full control of the user's account. Given the severity of this threat, it's the security community's responsibility to raise awareness, educate the public and urge these vulnerable companies to protect users' data," says Avraham in his analysis.
According to Mike McLaughlin, a senior pen tester and technical team lead with First Base Technologies, LinkedIn has positioned itself as a recruiter's heaven, and business professionals usually seek to further themselves with a variety of data on the service.
"Basically LinkedIn has positioned itself a company/employee resource, so any compromise of a user's account is potentially quite serious. MitM attacks depend on the attacker being - quite literally - in the middle, and if they succeed, the user's account is usually wholly compromised," he explained.
McLaughlin went on to say that MitM attacks are usually staged via public access wireless networks, and only rarely when a user is on a corporate network, owing to the technical complexities involved.
"My observations are that issues like this can be relatively easily fixed at the server side, but I think it's a bad sign if you have to wait a year for a fix - even on a global distributed network with the 250 million users that LinkedIn has," he said, adding that whilst a VPN may prove useful when accessing LinkedIn on a public access wireless network, this is usually overkill for this situation.
Michael Sutton, vice president of security research with Zscaler, told SCMagazineUK.com that he wouldn't consider Zimperium's discovery as vulnerability, but more of a transition to enhanced security that is not yet complete.
"Zimperium is pointing out the fact that LinkedIn does not yet default to and enforce SSL-only connections for all users worldwide. Many Web applications are implementing SSL-only connectivity due to increasing privacy concerns," he said.
LinkedIn, he added, is moving in this direction and started transitioning all users to SSL-only pages in December 2013 - but the transition process is ongoing.
"While we might wish that the transition would move faster, LinkedIn should be applauded for moving in this direction. All Web properties should take note and follow the example set by the likes of LinkedIn, Google, Facebook, etc, all of which have moved to SSL only by default," he concluded.