LinkedIn Patches Two Major Security Flaws
LinkedIn tends to be a little more buttoned up and low key than Facebook or Twitter. As a result, hackers tend to view it as a secondary target. A secondary target, though, is a target nonetheless, and LinkedIn possessed two critical security flaws up until recently. A patch has addressed these issues, although in a fairly inelegant fashion.
The first flaw affected the "Add Connection" feature, which allows users to connect individually with one another. Weaknesses in the site's cross-site scripting protections, which prevent commands from being transferred from one page to another, allowed potential hackers to misdirect users to false LinkedIn login pages. From here, the hackers could push harmful HTML (the programming language that builds websites) onto users, steal cookies or phish for passwords and other private information.
The second issue affected LinkedIn groups rather than individual users. Groups are not as tight, security-wise, as individual pages, and allowed information thieves to pose as LinkedIn users and target hundreds or even thousands of users at once. Since users allow LinkedIn email permissions when joining groups, hackers could create pages and, with a little judicious HTML application, send emails directly to other group members that would lead those users to infected websites.
Although LinkedIn has responded to the issue effectively, its solutions are not pretty and only somewhat timely. LinkedIn first acknowledged the cross-site scripting issues in 2010, although it did fix the "Add Connection" vulnerability within 48 hours of users reporting it. Trying to exploit the system now takes users to an HTTP 500 error: a highly unspecific page that gives no useful information to address the problem. [See also: The 10 Biggest Online Security Myths And How to Avoid Them]
While these two issues were relatively minor, LinkedIn has run afoul of Internet security before. In 2012, a hacker made off with over six million passwords. Before this, security experts discovered that the LinkedIn iOS app made it very easy for hackers to acquire passwords and calendar events during the transmission of this information to central servers.
Since the problems have been corrected, there's not much for the end-user to do except be wary of any emails received from LinkedIn groups before today. Making sure your mobile LinkedIn apps are up-to-date as well couldn't hurt.