Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

LinkedIn Responds to Criticism of its SSL Implementation

LinkedIn said that a majority of its users are not affected by the SSL issue reported by security company Zimperium.

According to Zimperium, an attacker could launch a man-in-the-middle [MITM] attack leveraging a SSL stripping technique to steal a user’s credentials and gain control of a victim’s account due to the way LinkedIn implements SSL.

LinkedIn said that a majority of its users are not affected by the SSL issue reported by security company Zimperium.

According to Zimperium, an attacker could launch a man-in-the-middle [MITM] attack leveraging a SSL stripping technique to steal a user’s credentials and gain control of a victim’s account due to the way LinkedIn implements SSL.

“We used our own implementation of SSL Strip and MITM with zANTI, our Mobile Pentesting Toolkit,” explained Zimperium CEO Zuk Avraham. “The toolkit tests for several vulnerabilities, and unfortunately, this particular attack is simple and can be done by the most amateur hackers. We have detected many MITM attacks in-the-wild with Zimperium Mobile IPS – and I am afraid that this issue is endangering many users. Since we have reported the attack over a year ago, we wanted to bring this threat to the attention of the users who are still at risk.”

The company said it reported the situation to LinkedIn six times during the past year, and that LinkedIn responded twice – most recently in December by stating it was putting together a timeline for full SSL on-by-default deployment.

The social networking site began to transition to HTTPS by default last year, starting with users in the Netherlands. Members have had the ability to opt in to access the site using HTTPS since early 2012.

“LinkedIn is committed to protecting the security of our members,” spokesperson Nicole Leverich said in a statement. “In December 2013 we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in US and EU by default over HTTPS. This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default.”

There are a several different ways to prevent SSL stripping, Avraham told SecurityWeek. LinkedIn for example could change the default connection settings to HTTPS only and ensure the cookie is set to HTTPS only and cannot be accessed via JavaScript (HttpOnly). The other solution is to integrate a combination of security services that protect desktop and mobile devices from attacks like this, he said.

Mike Shema, director of engineering at Qualys, said he suspects many other sites are equally vulnerable – not to mention all those sites that don’t bother with HTTPS in the first place.

Advertisement. Scroll to continue reading.

The important point here is that adopting HTTPS can’t be done as a half-measure,” he said. “It must be on all the time for all the resources. Otherwise, users will be exposed to SSL stripping-types of attacks. The HTTP Strict Transport Security (HSTS) headers are intended to help sites enforce this for browsers.”

“But as the Qualys SSL Labs team has found, only about one percent of sites surveyed implement it. One good thing for the future is that protocols like SPDY and HTTP 2.0 are adopting encrypted transport by default,” he said. “The catch is that, like HSTS, these protocols need to become well-accepted standards and supported by browsers before we start to see any real benefit from them.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.