We have tried to contact LinkedIn via two mediums, their social media service and twitter. We have as yet received no response regarding our communications. We have subsequently decided that we ought to alert people to this.
On the morning of 07/06/2012 an I.T. Security geeks team member changed his LinkedIn password.
The changes were implemented via a web browser.
Several hours later the user received an app store notification of a LinkedIn app update for an IOS device; and proceeded with the update to LinkedIn version 5.0.3 dated 06/06/12.
User was however still able to view and functionally use the LinkedIn app despite not being authenticated with the new password on his mobile device.
It appears that when passwords are changed on site, the revocation of access and subsequent re-authentication of all previously authenticated devices in the user’s access matrix does not occur.
To test the theory again, user logged back into LinkedIn via web browser, changed his password and then used the IOS device in question to post a test status to his own profile and to send a message to a connection.
Despite 2 password changes, the IOS device still maintains its active session and allowed full compromise to the users account.
This poses a high risk to users.
Personal Data may be compromised.
Users cannot effectively revoke access to their profiles by changing passwords in the event of their devices being lost or stolen. If you have in the past attempted to lock out unauthorised user access on a lost or stolen device by changing your password, please be aware that this does not seem to work. Try to contact LinkedIn to assist. Our best possible advice is to uninstall the LinkedIn IOS application until further notice.
Leave a Reply