A pair of self proclaimed "ethical hackers" have discovered what they
call a "logic flaw" with the social networking site LinkedIn.
The flaw could allow anyone with just a basic grasp of navigating a
website to authenticate email address using LinkedIn's tool to confirm
connections with other members.
Bryan Seely and Ben Caudill of Rhino Security Labs say the flaw could
become a hacker's first step to identity theft because it is often the
case that a valid email address is a person's user name for many
accounts not associated with LinkedIn.
LinkedIn prides itself on offering an effortless ability to check your
contact list against their email database of other members to see if you
any of your contacts is a LinkedIn member. But Seely and Caudill
demonstrated how they can upload a common- separate-value file, often
known as a CSV file of dozens of email address guesses. Most email
programs can produce a CSV file to allow importing of contacts from one
email program to another.
For example, Seely demonstrated how to make a list of email address
guesses for billionaire investor and "Shark Tank" star Mark Cuban.
Within seconds, LinkedIn displayed Cuban's public profile and confirmed
one of Seely's guesses was correct. Seely then put Cuban's email
address into the text function on his iPhone. Because the address
turned blue on his iPhone, that signaled to Seely Cuban's email address
is tied to his iphone and he could have an iCloud account.
"Now I can send him a text," said Seely.
And he did. Cuban would later respond, asking Seely and Caudill to check
out Cyberdust, an new messaging app Cuban was investing in.
"You can't get direct access to someone's account through this, but it's
a good start," said Caudill. "It's a crack in the infrastructure,
essentially it's a start to much bigger attacks, such as the brute
forcing with the celebrities recently."
Caudill is referring to the recent access to compromising pictures by
hackers to the iCloud accounts of several celebrities, including
Jennifer Lawrence. Brute forcing is a technique hackers used to find a
password.
"Brute forcing, which is essentially the idea of taking a user name or
known email address in this case, and uploading a huge list of passwords
on an automated scale and guessing one after another after another,"
said Caudill.
When Seely first contacted LinkedIn about his discovery, he said company officials told him "they were not interested."
Now that Seely and Caudill went public with their find, LinkedIn is
responding, saying they are working on a fix. A spokeswoman for LinkedIn
says the popular social networking site has abuse detection and rate
limiting systems in place to prevent abuse of the contact feature Rhino
labs says is vulnerable.
Nicole Leverich of LinkedIn said effective immediately, a LinkedIn
member can contact the support team and ask to be "manually opted out of
having their email address discoverable to people they are not
connected with through address book import."
"We are working on building this as an option members can select in settings," she said.
Seely is gaining a reputation for being a security gadfly to some of the
larges sites on the web. Earlier this year he demonstrated how someone
can "mapjack" Google maps and create fictitious business listings or
change existing business listings using Google own tools.
Last month the two web security researchers demonstrated how anonymous
posts on the website Secret were not so secret. They were able to figure
out the identity of the people behind the posts that thought they were
anonymous.
The two believe the LinkedIn flaw doesn't compromise LinkedIn's online
security, but it gives a hacker an opening to validate information that
could lead to identity theft.
"It's small pieces of information, small holes, small attack vectors
that generate something much larger and that's where we started here,"
said Seely.
No comments:
Post a Comment