Wednesday, December 11, 2013

Linked In: Security Risk?

I used to think those "You have a new endorsement" emails from LinkedIn were cute. 


But then I realized that they're a bit hacky (you can change the URL to make them say whatever you want) and also a security threat. You probably shouldn't click on them.

Just requires some scripting.



Part 1: Starts linking to other people with a fake profile.
Part 2: Using available information, determines the person's email address.
Part 3: Now connected to the person, select one of their connections and one of the things they've already been endorsed for.
Part 4: Using that information, create fake endorsement emails that link elsewhere. (It's a drive-by - when you hit the bogus site, your computer gets infected and it passes you on to linked in, complete with the fake endorsement.

Here's an example of a fake final destination.  Of course, I wouldn't blame you if you didn't click it. (This one doesn't go through another server first and infect you.)

http://www.linkedin.com/profile/edit?showSuggestedEndorsements=true
&esl=Thanks+for+visiting+my+blog&eslIsEncrypted=f
&trk=eml-skills_endorsements-btn-0-existing_pills


The fake endorsement is not added to your list, of course.

Post a Comment