LinkedIn phishing vulnerability (opens in new tab)

(sigkill.dk)

31 pointsrlm16y ago5 comments

5 comments

5 comments · 2 top-level

oscardelben16y ago· 3 in thread

Ok, so for this to work you have to click on a phishing email.

A few weeks ago I was working on the linkedin api and I noticed that if I was sending messages to multiple contacts, they would all see each other's email on cc instead of ccn. I reported this to the team and I hope it's fixed by now. It's not a big deal, but it's a way to know the email address of all your contacts.

Timothee16y ago

Yes, it's a phishing email but where it's different and vulnerable is that you receive a seemingly legitimate email from LinkedIn (it's in fact a legitimate email that was "forwarded" to you), that does link to LinkedIn.com, not limkedin.com or similar. You never actually give your email and password to a site that makes you think it's LinkedIn. It IS LinkedIn.

The weak part is that your LinkedIn account gets associated to an extra email address without your express consent. (allegedly, since I haven't tried this)

ig116y ago

You can see the email details on your contacts on linkedin anyway, no ?

oscardelben16y ago

I'm not sure about that. But anyway your contacts will see your contacts's email.

amatriain16y ago

Wow. So easy to exploit...

j / k navigate · click thread line to collapse