LinkedIn exploit 'left millions exposed' to malware

Check Point research highlights now patched vulnerabilities in LinkedIn's messaging service

LinkedIn on a mobile device

Exploits in LinkedIn's own security measures potentially allowed hackers to spread malicious files across the social networking site and infect millions of user PCs, it has been claimed.

The Microsoft-owned professional networking site, that boasts over 500 million users in 200 countries, allows members to chat, share CVs and send job descriptions to others in their network using a messenger service.

Multiple vulnerabilities were identified in LinkedIn's own security measures that are designed to restrict the types of files that are uploaded to LinkedIn's chat windows, according to security researchers at Check Point.

Typically these measures allow only a handful of extensions including pdf, text documents and jpegs, however, it was discovered that attackers could bypass these checks by uploading malicious files masquerading as accepted extensions. These were then capable of spreading throughout a user's network of contacts and infect any PCs connecting to those accounts.

Advertisement - Article continues below
Advertisement - Article continues below

The research identified four exploits in the LinkedIn security systems, including a limitation that failed to identify a malicious Power Shell script that was saved as a .pdf, which if downloaded, would remain undetected on a user's PC.

How a link may have appeared in a user's chat window

The Power Shell script made to masquerade as a .pdf file

The system was also unable to detect malicious Excel XLSM macros, disguised with an accepted .xlsx extension, which when uploaded would bypass the antivirus checks and be sent unnoticed to a user.

These types of attacks meant hackers could infect a user's PC with whatever code they wished, potentially stealing personal information, encrypting data, or hijack a machine for the purpose of spreading malware to other PCs.

Although there is no evidence that the vulnerabilities had been noticed and exploited by hackers, it serves to highlight the importance of robust security measures on a site that allows its millions of users to share files with each other.

Advertisement - Article continues below

Check Point notified LinkedIn of the vulnerabilities earlier this year, and they have since been acknowledged and patched as of the 24 June.

Main image: Bigstock - body images courtesy of Check Point.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020