A vulnerability in LinkedIn’s password change process poses a potential threat to all users, especially those whose accounts might have recently been compromised.
If you’ve been following the news, you’ve likely heard about how a hacker named “Peace” is attempting to sell 117 million LinkedIn users’ emails and passwords on The Real Deal, a dark web marketplace which traffics primarily in zero-day exploits.
Peace told Motherboard that hackers originally stole the data during the LinkedIn breach of 2012. The original hackers posted only 6.5 million usernames and passwords at the time. In reality, it appears that they had access to details of 167 million users’ accounts, including 117 for which both passwords and emails were available.
Since news first broke about the true scope of this breach, many LinkedIn users have decided to change their passwords out of caution.
If they weren’t careful, however, they might have just exposed their accounts to unauthorised parties regardless.
David Enos, a web application penetration tester working in the food industry, explains in a blog post that there is a vulnerability in LinkedIn’s password change process. It occurs when users are signed into their LinkedIn account on more than one device at a time and decide to change their password on one of them.
For his proof-of-concept exploit, the researcher decided to change his password on LinkedIn’s Android mobile device while also being signed into his account on a PC. When he finished changing his password, he noticed something interesting when he went back to his desktop:
“If you go back to your browser from PC and hit refresh, you will notice that you still remain logged in with old credentials. You can do all activities such as post, message, connect, etc but you will not be able to change password, add email addresses, or phone numbers to account. You will be received with password prompt asking for credentials, and you can still go back and perform activities. I have been monitoring this issue and noticed I can stay logged in indefinitely using this method.”
With that in mind, if you happened to change your LinkedIn password at home but forgot you had logged into your profile earlier that afternoon on a public computer, an attacker could potentially exploit this bug to assume control of your account.
Enos notes in his post that he reported the vulnerability to LinkedIn back in February. As of this writing, the social networking company has yet to fix the issue.
While we await the company to address the flaw, users should make sure that they sign out of all sessions whenever they change their LinkedIn passwords.
Additionally, they should follow the advice of contributor Per Thorsheim, ensure that they are not reusing passwords on different websites, and enable two-step verification (2SV) on their LinkedIn account.
Update: A LinkedIn spokesperson has been in touch with the following response:
“David Enos is using a previous flow for password reset, which we updated when we introduced the new settings experience for all members in March. When resetting passwords, members can check a box to sign out of all sessions (you can see this when you navigate to Privacy & Settings>Account>Change Password). We also have a setting called “Where You’re Signed In” to find out where you’re logged in and give details on how to end sessions in our Help Center (https://www.linkedin.com/help/linkedin/answer/50190?query=sessions).”