Thursday, September 18, 2014

BREACH: LinkedIn flaw helps hackers uncover email addresses (

A pair of self proclaimed "ethical hackers" have discovered what they call a "logic flaw" with the social networking site LinkedIn. 

The flaw could allow anyone with just a basic grasp of navigating a website to authenticate email address using LinkedIn's tool to confirm connections with other members.

Bryan Seely and Ben Caudill of Rhino Security Labs say the flaw could become a hacker's first step to identity theft because it is often the case that a valid email address is a person's user name for many accounts not associated with LinkedIn.

LinkedIn prides itself on offering an effortless ability to check your contact list against their email database of other members to see if you any of your contacts is a LinkedIn member.  But Seely and Caudill demonstrated how they can upload a common- separate-value file, often known as a CSV file of dozens of email address guesses.  Most email programs can produce a CSV file to allow importing of contacts from one email program to another.

For example, Seely demonstrated how to make a list of email address guesses for billionaire investor and "Shark Tank" star Mark Cuban. Within seconds, LinkedIn displayed Cuban's public profile and confirmed one of Seely's guesses was correct.  Seely then put Cuban's email address into the text function on his iPhone.  Because the address turned blue on his iPhone, that signaled to Seely Cuban's email address is tied to his iphone and he could have an iCloud account.

"Now I can send him a text," said Seely. 

And he did. Cuban would later respond, asking Seely and Caudill to check out Cyberdust, an new messaging app Cuban was investing in.

"You can't get direct access to someone's account through this, but it's a good start," said Caudill. "It's a crack in the infrastructure, essentially it's a start to much bigger attacks, such as the brute forcing with the celebrities recently."

Caudill is referring to the recent access to compromising pictures by hackers to the iCloud accounts of several celebrities, including Jennifer Lawrence.  Brute forcing is a technique hackers used to find a password.

"Brute forcing, which is essentially the idea of taking a user name or known email address in this case, and uploading a huge list of passwords on an automated scale and guessing one after another after another," said Caudill.

When Seely first contacted LinkedIn about his discovery, he said company officials told him "they were not interested."

Now that Seely and Caudill went public with their find, LinkedIn is responding, saying they are working on a fix. A spokeswoman for LinkedIn says the popular social networking site has abuse detection and rate limiting systems in place to prevent abuse of the contact feature Rhino labs says is vulnerable.

Nicole Leverich of LinkedIn said effective immediately, a LinkedIn member can contact the support team and ask to be "manually opted out of having their email address discoverable to people they are not connected with through address book import."

"We are working on building this as an option members can select in settings," she said.

Seely is gaining a reputation for being a security gadfly to some of the larges sites on the web.  Earlier this year he demonstrated how someone can "mapjack" Google maps and create fictitious business listings or change existing business listings using Google own tools.

Last month the two web security researchers demonstrated how anonymous posts on the website Secret were not so secret. They were able to figure out the identity of the people behind the posts that thought they were anonymous.

The two believe the LinkedIn flaw doesn't compromise LinkedIn's online security, but it gives a hacker an opening to validate information that could lead to identity theft.

"It's small pieces of information, small holes, small attack vectors that generate something much larger and that's where we started here," said Seely.

No comments:

Post a Comment