LinkedIn’s 300-plus million users risk having email addresses, passwords, messages and identities seized by cyber crooks because of a flaw LinkedIn has failed to patch, a security company reported Wednesday.
“We found that an attacker can extract a LinkedIn user’s credentials, hijack their session to gain access to all other LinkedIn information, and impersonate the user,” according to the report by San Francisco-based Zimperium. “Every single user we tested was vulnerable to this attack.”
Moreover, Zimperium said LinkedIn hasn’t responded to appeals to fix the flaw.
“We have reached out to LinkedIn six times over the last year to bring this critical vulnerability to their attention and have urged them to improve their network security,” the report said. “But more than a year after disclosing the bug they have yet to implement a patch for this vulnerability.”
LinkedIn spokeswoman Nicole Leverich said the company did respond to Zimperium and that as of last week the problem has been averted for U.S. and European users by encrypting all access to LinkedIn, as indicated by the green letters HTTPS in the website’s address. She said similar HTTPS protection is being rolled out for LinkedIn users in other parts of the world.
Illustration by KRT archives