Incomplete SSL rollout poses security risks to LinkedIn users outside the US and Europe

Jun 19, 2014 18:27 GMT  ·  By

Zuk Avraham, CEO of Zimperium mobile security startup, presented a method that would allow a cybercriminal to gain full control of a LinkedIn user’s account by using a man-in-the-middle attack that takes advantage of an SSL stripping technique.

SSL stripping consists of the attacker interposing between the user and the service they try to access and to replace HTTPS (HTTP Secure) requests with insecure HTTP ones, allowing reading of the intercepted information in plain text.

The demonstration was carried out with a mobile pentesting component developed by the company and showed that an attacker could obtain a LinkedIn user’s credentials and hijack his session.

As a result of the attack, Avraham says that the information exposed consists of email address, password, messages that have been read and sent, as well as the entire list of connections.

Since the criminal has full control of the account, they can carry out actions such as sending invitations, edit the user profile and job postings, or manage the company pages in case of a corporate account.

During the demonstration, he discovered that every user he tested was vulnerable, if they worked with a compromised device.

“With LinkedIn, the default login page is using SSL so that users’ credentials (i.e., username and password) will be sent securely to the server. Once the user authentication is successful, it will redirect to http:// for the remainder of the time a user is browsing LinkedIn. This means that LinkedIn, one of the largest social networks, still has a significant portion of its website traffic that does not enforce the use of https://,” said Avraham in the blog post.

According to the announcements made by LinkedIn regarding the transition to HTTPS by default to all pages, the operation began in December 2013 but it is not complete; at the moment, only the traffic for users in the US and Europe is served over an encrypted connection.

However, users in other regions of the world benefit from HTTPS only on the log in page and, after the authentication procedure completes, the connection switches to HTTP.

They have the possibility to turn on encrypted traffic from the security settings menu of the LinkedIn account, a feature that has been available to all users since 2012.

Avraham contacted LinkedIn and disclosed his findings in May 2013. The social network for professionals confirmed the vulnerability but claimed that it did not affect users with the secure connection option turned on.

Although Avraham’s demonstration is not exactly the disclosure of a zero-day vulnerability, the issue exposed is significant and applicable to users outside the US and Europe.