A vulnerability in LinkedIn's password change process poses a potential threat to all users, especially those whose accounts might have recently been compromised.
If you've been following the news, you've likely heard about how a hacker named "Peace" is attempting to sell 117 million LinkedIn users' emails and passwords on The Real Deal, a dark web marketplace which traffics primarily in zero-day exploits.
hackers originally stole the data during the LinkedIn breach of 2012. The original hackers posted only 6.5 million usernames and passwords at the time. In reality, it appears that they had access to details of 167 million users' accounts, including 117 for which both passwords and emails were available.
Since news first broke about the true scope of this breach, many LinkedIn users have decided to change their passwords out of caution.
If they weren't careful, however, they might have just exposed their accounts to unauthorised parties regardless.
The vulnerability in LinkedIn's password change process occurs when users are signed into their LinkedIn account on more than one device at a time and decide to change their password on one of them.
To check this vulnerability, i decided to change my password on a LinkedIn's Android mobile device while also being signed into my account on a PC. After changing my password, i discovered something interesting when i went back to my desktop:
"If you go back to your browser from PC and hit refresh, you will notice that you still remain logged in with old credentials. You can do all activities such as post, message, connect, etc but you will not be able to change password, add email addresses, or phone numbers to account. You will be received with password prompt asking for credentials, and you can still go back and perform activities. I have been monitoring this issue and noticed I can stay logged in indefinitely using this method."
With that in mind, if you happened to change your LinkedIn password at home but forgot you had logged into your profile earlier that afternoon on a public computer, an attacker could potentially exploit this bug to assume control of your account.
NOTE: We advise against reusing passwords on different websites, and enable two-step verification (2SV) on their LinkedIn account.
0 comments:
Post a Comment