LinkedIn exploit 'left millions exposed' to malware

Check Point research highlights now patched vulnerabilities in LinkedIn's messaging service

LinkedIn on a mobile device

Exploits in LinkedIn's own security measures potentially allowed hackers to spread malicious files across the social networking site and infect millions of user PCs, it has been claimed.

The Microsoft-owned professional networking site, that boasts over 500 million users in 200 countries, allows members to chat, share CVs and send job descriptions to others in their network using a messenger service.

Multiple vulnerabilities were identified in LinkedIn's own security measures that are designed to restrict the types of files that are uploaded to LinkedIn's chat windows, according to security researchers at Check Point.

Advertisement - Article continues below

Typically these measures allow only a handful of extensions including pdf, text documents and jpegs, however, it was discovered that attackers could bypass these checks by uploading malicious files masquerading as accepted extensions. These were then capable of spreading throughout a user's network of contacts and infect any PCs connecting to those accounts.

The research identified four exploits in the LinkedIn security systems, including a limitation that failed to identify a malicious Power Shell script that was saved as a .pdf, which if downloaded, would remain undetected on a user's PC.

How a link may have appeared in a user's chat window

The Power Shell script made to masquerade as a .pdf file

Advertisement
Advertisement - Article continues below

The system was also unable to detect malicious Excel XLSM macros, disguised with an accepted .xlsx extension, which when uploaded would bypass the antivirus checks and be sent unnoticed to a user.

These types of attacks meant hackers could infect a user's PC with whatever code they wished, potentially stealing personal information, encrypting data, or hijack a machine for the purpose of spreading malware to other PCs.

Advertisement - Article continues below

Although there is no evidence that the vulnerabilities had been noticed and exploited by hackers, it serves to highlight the importance of robust security measures on a site that allows its millions of users to share files with each other.

Check Point notified LinkedIn of the vulnerabilities earlier this year, and they have since been acknowledged and patched as of the 24 June.

Main image: Bigstock - body images courtesy of Check Point.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020