LinkedIn’s security teams have patched a security issue that could have allowed attackers to execute spear phishing campaigns and potentially assume remote control over victims’ accounts.This move is the result of researchers from Kaspersky Lab having warned LinkedIn of the vulnerability back on November 14, 2014.
Source: Kaspersky Lab – SecureListIn a blog post, Kaspersky Lab Senior Security Researcher Ido Naor explains how two malfunctions in the way LinkedIn processed and displayed user comments alerted him to the fact that something was wrong. The first had to do with different escape characters being displayed when posting from different devices, and the second involved a back-end parser issue in which the CRLF “Enter” keystroke was interpreted as a
<br /> character and displayed as such in the comment’s text.Further research led to the discovery of two separate email platforms used by LinkedIn to notify users of comments.“Submitting comments with HTML tags from the web platform generated
%3C as the less-than character, while the same input from a mobile device was encoded to
Source: Kaspersky Lab – SecureListTo avoid these and other types of attack, Naor recommends that users maintain an updated Internet Security provider on their machines, exercise caution whenever opening an attachment, and decouple their corporate email accounts from their LinkedIn profiles.To learn more about phishing attacks and you can avoid becoming a victim, please click here.