LinkedIn’s private bug bounty program fails to safeguard its users. 500 million of them at risk
The world’s largest professional social network was reported an extremely critical security issue that could allow hackers to spread dangerous malware using its Messenger service. Although LinkedIn hosts a bug bounty program wherein security researchers can report bugs directly to security@linkedin.com, this bug remained undisclosed until professionals at Checkpoint Technologies found it.
The reported vulnerability allows malicious attackers to upload malicious files disguised as CVs and send it to victims using the LinkedIn messenger. The vulnerability was reported to LinkedIn on 14 June 2017. LinkedIn verified and acknowledged the security issues and deployed a fix effective 24 June 2017.
Ankush Johar, Director of BugsBounty.com – A crowd-sourced security platform for ethical hackers and organizations said, “Checkpoint reported the bug on 14 June 2017 but the messenger service has been running with CV functionality since 2015. It’s highly possible that malicious hackers in the underground community already knew about this flaw and could have been using it to spread ransomware and other malicious programs”
“Phishing is the most popular way of infecting systems with malware and stealing confidential information. It targets humans which have been proven to be the weakest link in cyber security. Such a vulnerability in a service used by over 500 Million professionals worldwide could be catastrophic and may have been mitigated earlier if a public bug bounty program would have been in place just as Twitter & Facebook among others in the social networking cyberspace”