This is an uncharacteristically non-PHP post, but I thought it may interest the audience anyway, and this is as good place as any to have it. So the TLDR of this post is that I’ve recently had an interaction with certain security issue in LinkedIn, this issue is still there, LinkedIn is not inclined to fix it and you may be affected.
All names (except, obviously, LinkedIn) in the story has been changed to protect the privacy, but refer to real people, entities and events.
The story of discovering this issue begun when one morning I have woken up and found in my mailbox a message saying “here’s the link to reset your password” from LinkedIn. As I have not reset my password on LinkedIn, I was somewhat surprised, but thought – OK, maybe somebody is trying to play tricks with my account, I’m pretty sure this would go nowhere. Then, as my brain was waking up, I looked at the email closely and discovered two things:
- This email has not my name, by the name of my colleague, let’s call him B., at the company, let’s call it Westeros Inc.
- The email was not sent to me directly, neither it was sent to B. directly, instead it was sent to an internal company mailing list email@example.com.
I didn’t know what to make out of it but decided maybe B. copy-pasted wrong address to some field in LinkedIn.
Later the same day, talking to B. and other coworkers, I have mentioned this event. B. said that he indeed reset his LI password recently, but he never added the goldcloaks list to LinkedIn. I’ve started to get suspicious and asked how then I’ve got his password reset email? He didn’t know. So we (myself and B.) did an experiment:
We went to LinkedIn, logged out and clicked “forgot password” on the login form. Then we entered the address of the firstname.lastname@example.org and in a couple of seconds, I’ve got the password reset link, with B.’s name on it. Clicking on that link, I’ve got a form to reset the password (no additional questions like what’s my favorite pokemon) and after another click I’ve got the email saying “B., your password was successfully reset“. I used the new password to log in, but then I was stopped by the two-factor verification. Which means two things: 1) password change worked, since 2-factor kicks in only when password is right and 2) B. is a smart man and has protected his account against password thieves. I had to ask him for the code – now that I have his account’s password, this was the only way to give him the control back. After getting the code, I could successfully log into his account and could see all his deepest secrets (which I didn’t) or return the control back to him (which I did). Before that, we verified that email@example.com is indeed in B.’s list of account’s emails.
Then I decided to see how comes the goldcloaks list ended up in B.’s email list. I went to my own email list, and, surprisingly, discovered that in my own list, among my regular emails, there is another mailing list, firstname.lastname@example.org, which I definitely did not ever add there and had zero reason to. I asked other people sitting around in the office to check their lists and they too have discovered a couple of extra emails, added by some mysterious way, in their profiles.
Basing on these discoveries, I have arrived at the following conclusions:
1. There is a way, currently unknown to me, to add a group mailing list to one’s profile on LinkedIn, without their explicit consent (at least without them knowing that this is what they consented to).
2. LinkedIn accepts this group list email and any non-primary email as an email to send password reset requests too.
3. Reading emails from this address is the only thing needed to reset the password – even if 2-factor auth is enabled. With 2-factor auth, you will not be able to access the account after the password has been reset (unless you find a way to cheat there, I did not try) but you will be able to reset the password.
4. For the majority of people asked, LinkedIn password emails to email@example.com ended up in a spam folder, which means the victim of the shenanigans may not even notice what happened.
This looked like a security issue, so I have written up the whole story (in a bit less colorful words than here) to firstname.lastname@example.org and went back to work, expecting the email from LinkedIn with heartfelt thanks and promises of speedy fix implementation.
The Security Response
Of course, that is not what happened. Instead, what happened that I have got an answer from some very helpful individual from frontline support, asking me for “detailed information about your problem and if you think it might help, attach a screenshot, too“. As I have just spent significant time on composing big encrypted email full of details, I was a bit confused as to which details I was missing and where screenshots may be useful there, but I have not relented at first and wrote second explanation of the issue. The response was:
1. LinkedIn support took the extraordinary security measure of logging me out of all my current sessions with LinkedIn.
2. They advised me not to write down my password in publicly accessible places and suggested that if I continue to leave my computer sitting around in public places without logging out, bad things may happen to my account. My sincerest pleas that such thing never happened and the problem I am talking about is not because I forgot my laptop in a pub while being drunk (and so, apparently, did my coworkers) were met with utter disbelief. They also instructed me to not use my LinkedIn password on other sites and gave me a full page of very useful boilerplate password security advise, as prudent as having no relation to the case being discussed.
3. They assured me that my account was not compromised (which I never implied) and my password is safe.
4. They assured me that “The only way to add an email into an account is via the settings after logging in.”
By that time I was sure nobody at LinkedIn is going to believe me there’s a problem (beyond my implied propensity to leaving my laptop around and thus letting strangers add emails to my LinkedIn account) so I decided I’ve done my responsible disclosure part and should not spend more time on it. However, then I’ve got another email from LinkedIn stating this:
Sometimes, when a member accepts an invitation to connect that was sent to an email distribution list, that list becomes associated with the member’s account.
Please be assured that no one on the distribution list would be able to use the password reset link to access your account unless they knew both your email address and your password.
The first part, of course, completely belies the claim that “The only way to add an email into an account is via the settings after logging in.“, as apparently the other way is to send an invitation via the email list and have it accepted. The second part, however, can not be true, as password reset link can not require anybody to know the password – such link would be completely useless, and they do not even need to know my email – only the list email. But this provided the confirmation and brings us to the conclusion.
- There is, indeed, a way to inject group email address into your LinkedIn account, LinkedIn knows about it and they don’t see any problem with it. Most probably, this can be done by sending an invitation for a person to connect to a mailing list. You can imagine the social engineering possibilities.
- While you can see the target email in the email connect invite from LinkedIn, you can not see it, AFAIK, in the LinkedIn web interface, which makes “group” invite indistinguishable from a regular one.
- There is, and probably will be for a foreseeable time, a way to use that group email address to reset your password using that group, by anybody who has access to group emails.
- LinkedIn knows about the issues outlined above but they do not perceive it as a security issue.
So here’s some advice if you have a LinkedIn account:
- Enable two-factor on your LinkedIn account NOW.
- Check your email list (go to Settings, click on “Account” and then “Add & change email addresses”) and see if you don’t have any unknown emails there. Do that at regular intervals, especially after accepting connections.
- Do not accept connections from strangers that you do not recognize.
- Do not expect big companies to have a meaningful way to report a security problem.
And a wishlist for LinkedIn:
- Make password request only work with primary email.
- Make associating an email with the account always an explicit action.
- Have some way to escalate security issues.
If you have any additional info or ideas on this topic, please feel free to comment.