Thursday, 19 June 2014

Millions of LinkedIn Users at Risk of Man-in-the-Middle Attack

Linkedin mitm
Two year back in 2012, one of the most popular online social networking sites Linkedin spent between $500,000 and $1 million on forensic work after millions of its users’ account passwords were compromised in a major security data breach. But, it seems that the company hasn't learned any lesson from it.

WHAT IS MAN-IN-THE-MIDDLE (MitM) ATTACK
Before moving on to the story, let us discuss some emerging and common threats against the social networking sites nowadays. If we talk about less publicized but more danger, then Man-in-the-Middle (MitM) attack is the most common one. By attempting MitM attack, a potential attacker could intercept users’ internet communication, steal sensitive information and even hijack sessions.

Though MitM attacks are popular and have existed for years, a major categories of today’s largest websites and social networking sites still haven’t taken the necessary steps to safeguard their users’ personal and sensitive data from the vulnerabilities that raise the danger of this type of attacks.

LINKEDIN SSL STRIP ATTACK
The popular professional network, LinkedIn has left hundreds of millions of its users exposed to Man-in-the-Middle (MitM) attack due to the way the site uses Secure Sockets Layer (SSL) encryption in its network.

No doubt, LinkedIn is using HTTPS connection for user login pages, but they are not using HTTP Strict Transport Security (HSTS) technology that prevents any communications from being sent over HTTP, instead send all communications over HTTPS.
Linkedin mitm hack
According to researchers at Israel-based Zimperium Mobile Threat Defence, the poor implementation of HTTPS/SSL allows a hacker to intercept a user’s communication by replacing all “HTTPS” requests with its non-encrypted form, “HTTP”, known as “SSL stripping” attack.
Once the attacker has extracted a user’s credentials, they can reuse the user’s credentials or session cookies to authenticate and forge the exact session,” reads the blog post.
VIDEO DEMONSTRATION
In a video demonstration, researchers have practically used this tool against LinkedIn website and as a result of SSL stripping, they intercepted one of its users’ account by a MITM attack and successfully grabbed users’ account information and every single user they tested was vulnerable to this attack.

VULNERABLE COMPONENTS
By attempting MitM attack against the website, an attacker can grab a LinkedIn user’s credentials, hijack their session to gain access to all other LinkedIn information and impersonate the user. Attackers could do multiple things including:
  • Email address
  • Password
  • Read and Sent Messages
  • Connections
  • “Who viewed my profile”
Attackers can impersonate the user to use any account feature, including:
  • Send invitations to connect
  • Edit the user’s profile
  • Edit job postings
  • Manage company pages
So not only is your personal LinkedIn information at risk, but also if you are an administrator for your corporate LinkedIn presence, your company’s brand reputation could also be damaged if a malicious actor were to gain control over posts and email communication on LinkedIn,” reads the blog post.

REMOTE ATTACKS
Moreover, this vulnerability in the LinkedIn doesn't just exist when a potential attacker is on the same network as the targeted victim.

To perform MITM attack remotely, an attacker can compromise a device and once that device enters a different network, the same attacker can use the victim’s device remotely to perform man-in-the-middle attack on other users on the victim’s network.

LINKEDIN IMPLEMENTING HTTPS BY DEFAULT, BUT VERY SLOWLY
Researchers from Zimperium first responsibly reported this critical ‘session hijacking’ vulnerability to the LinkedIn security team in May 2013. Despite, reaching out to LinkedIn six times over the last year, the team have not responded seriously.

Later from December 2013, LinkedIn started transition of the website to default HTTPS and just last week they have successfully upgraded US and European users to Default HTTPS Network. Because of slow implementation of default SSL, Zimperium finally rolled out the disclosure of the vulnerability publically.
LinkedIn spokeswoman Nicole Leverich said the issue described by Zimperium “does not impact the vast majority of LinkedIn members given our ongoing global release of https by default.
HOW TO ENABLE FULL HTTPS MANUALLY
However, In 2012, LinkedIn offers its users an option to change their security settings to full HTTPS manually, but many might not have known about it. You can enable it by going into your LinkedIn settings, Open “account” tab and Click “manage security settings” to select Full HTTPS.

Reference- http://thehackernews.com/

No comments:

Post a Comment