LinkedIn has emerged in recent years as one of the most popular online social networking sites and, as such, is a target for hackers and security researchers alike. Zuk Avraham, founder and CEO of Zimperium, alleges in a new report that LinkedIn has left its users exposed to potential exploitation, due to the way the site uses Secure Sockets Layer (SSL) encryption.
Zimperium’s technology, zANTI, is based on a program known as SSLstrip that first publicly became available in 2009 from security researcher Moxie Marlinspike. SSLstrip helps an attacker perform a man-in-the-middle (MITM) attack against a user who thinks they are being protected by SSL. As a result of SSL stripping, user information from LinkedIn could potentially be intercepted by a MITM attack.
“We used our own implementation of SSLstrip with a very basic concept: Replace all HTTPs strings to HTTP,” Avraham told eWEEK.
An HTTPS string implies that a given Web address is secured by SSL. Avraham added that his own company’s tool zANTI, which has a free version, can be used by anyone to easily audit if they are vulnerable to Zimperium’s implementation of SSLstrip.
Avraham said his company first responsibly disclosed the issue to LinkedIn in May 2013.
LinkedIn spokesperson Nicole Leverich confirmed to eWEEK that Zimperium did contact LinkedIn. She noted that LinkedIn responded to Zimperium with updates about the status of the HTTPS/SSL rollout on LinkedIn.
“In December 2013 we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in the U.S. and E.U. by default over HTTPS,” Leverich said. “This issue does not impact the vast majority of LinkedIn members, given our ongoing global release of HTTPS by default.”
Leverich added that LinkedIn members can also choose to turn on HTTPS by default with a few simple steps: Go to the LinkedIn settings, click the Account tab and then click “manage security settings” and check the box and click “save changes.”
For his part, Avraham said that his firm has not heard from LinkedIn since they made the security disclosure public today.
“They [LinkedIn] should enforce the secure bit on all cookies regardless if you enabled SSL in your options,” Avraham said. “All users that we have tested used the default settings and were vulnerable to their account getting hijacked.”
Avraham also suggests that users should always type “https://” when it comes to accessing LinkedIn and any other sensitive Websites. He added that LinkedIn can also add a check for SSLstrip in their non-SSL Website and redirect to the secure Website.
The issue of SSL being stripped is one that sites beyond LinkedIn should also be concerned about.
“In my opinion, most SSL sites are vulnerable to SSL Stripping,” Ivan Ristic, director of engineering at Qualys, told eWEEK. “This is because the default for any browser is to try plaintext [HTTP] access first. The only way to resist SSL stripping attacks is to deploy HTTP Strict Transport Security, but only a few sites do that.”
HTTP Strict Transport Security (HTTPS) is a technology specification that forces users to load the HTTP version of a Website.
Kevin Gilchrist, vice president of product management at Comodo, told eWEEK that while calling the LinkedIn issue a zero-day exploit might be debatable, it is a major problem.
“Many Website operators make a conscious design choice to only use SSL (https) for log-in and payment pages—and not every page, as it saves them infrastructure costs,” Gilchrist said. “It is computationally cheaper so therefore uses less hardware, power, heating and cooling.”
Gilchrist suggests that sites use SSL as the new default for content as it is easier to enable SSL than it is to assure that Web developers have written a robust hybrid site using encrypted and unencrypted traffic.
“It is always tempting to manage costs based on the hard costs in front of you and underestimate the costs of potential security breaches,” Gilchrist said. “The extra infrastructure cost should be cheaper than any loss of trust and business by your customers.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.