LinkedIn password change flaw poses threat to at-risk accounts, claims researcher

Make sure you log out of all sessions!

David bisson
David Bisson
@
@DMBisson

LinkedIn password change flaw poses threat to at-risk accounts

A vulnerability in LinkedIn’s password change process poses a potential threat to all users, especially those whose accounts might have recently been compromised.

If you’ve been following the news, you’ve likely heard about how a hacker named “Peace” is attempting to sell 117 million LinkedIn users’ emails and passwords on The Real Deal, a dark web marketplace which traffics primarily in zero-day exploits.

Peace told Motherboard that hackers originally stole the data during the LinkedIn breach of 2012. The original hackers posted only 6.5 million usernames and passwords at the time. In reality, it appears that they had access to details of 167 million users’ accounts, including 117 for which both passwords and emails were available.

Sign up to our free newsletter.
Security news, advice, and tips.

Since news first broke about the true scope of this breach, many LinkedIn users have decided to change their passwords out of caution.

If they weren’t careful, however, they might have just exposed their accounts to unauthorised parties regardless.

Confirm button 1040cs060712

David Enos, a web application penetration tester working in the food industry, explains in a blog post that there is a vulnerability in LinkedIn’s password change process. It occurs when users are signed into their LinkedIn account on more than one device at a time and decide to change their password on one of them.

For his proof-of-concept exploit, the researcher decided to change his password on LinkedIn’s Android mobile device while also being signed into his account on a PC. When he finished changing his password, he noticed something interesting when he went back to his desktop:

“If you go back to your browser from PC and hit refresh, you will notice that you still remain logged in with old credentials. You can do all activities such as post, message, connect, etc but you will not be able to change password, add email addresses, or phone numbers to account. You will be received with password prompt asking for credentials, and you can still go back and perform activities. I have been monitoring this issue and noticed I can stay logged in indefinitely using this method.”

With that in mind, if you happened to change your LinkedIn password at home but forgot you had logged into your profile earlier that afternoon on a public computer, an attacker could potentially exploit this bug to assume control of your account.

Screen shot 2015 09 07 at 8.42.26 am

Enos notes in his post that he reported the vulnerability to LinkedIn back in February. As of this writing, the social networking company has yet to fix the issue.

While we await the company to address the flaw, users should make sure that they sign out of all sessions whenever they change their LinkedIn passwords.

Additionally, they should follow the advice of contributor Per Thorsheim, ensure that they are not reusing passwords on different websites, and enable two-step verification (2SV) on their LinkedIn account.

Update: A LinkedIn spokesperson has been in touch with the following response:

“David Enos is using a previous flow for password reset, which we updated when we introduced the new settings experience for all members in March. When resetting passwords, members can check a box to sign out of all sessions (you can see this when you navigate to Privacy & Settings>Account>Change Password). We also have a setting called “Where You’re Signed In” to find out where you’re logged in and give details on how to end sessions in our Help Center (https://www.linkedin.com/help/linkedin/answer/50190?query=sessions).”


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “LinkedIn password change flaw poses threat to at-risk accounts, claims researcher”

  1. Alan Ralph

    Rather than requiring users to tick a box to sign out of all other devices, LinkedIn should give the user notice that they'll need to log in again and explain why, *then* proceed with the password reset. Unfortunately, given LinkedIn's track-record with the design of their websites and apps, I'm not at all surprised that they're doing the former. Which is a pity.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.