LinkedIn says SSL vulnerability does not impact most users

Data Jimmy Nicholls

14:25, June 20 2014


Security firm Zimperium insisted business network was at risk.

LinkedIn has downplayed the significance of a man-in-the-middle vulnerability said to allow hackers to steal a user's account.

Using an attack method known as SSL stripping, security firm Zimperium claimed it was able to redirect all traffic through unsecured HTTP connections, allowing them to steal login credentials, and take control of people's profiles.

A spokesman from LinkedIn said: "LinkedIn is committed to protecting the security of our members. In December 2013 we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in US and EU by default over HTTPS.

"This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default."

Zimperium said it has contacted the business network six times within the last year regarded the problem, but the company has yet to patch it.

It said: "Not only is your personal LinkedIn information at risk, but also if you are an administrator for your corporate LinkedIn presence, your company's brand reputation could also be damaged if a malicious actor were to gain control over posts and email communication on LinkedIn."

It added that the mobile app was not vulnerable to the same attack, though claimed hackers could still "sniff random HTTP requests and profile pictures".

"We believe that this vulnerability is being used, in-the-wild, against Linkedin's users," it said.

Source: Company Press Release

get a cbr Cyber Security weekly update

Terms & Conditions & Privacy Policy.


Post a comment

Comments may be moderated for spam, obscenities or defamation.