Is LinkedIn Really Secure?

Friday, February 24, 2012

Brittany Lyons


Since it filed for IPO in January 2011, LinkedIn has steadily gained in popularity. Today, there are roughly 135 million registered users worldwide.

In fact, according to a resource for PhD programs online, many graduate and doctoral students are even turning to this site as resource they embark on their job search.

Thus, by catering to young professionals and business owners, the social networking site sets itself apart from more leisurely competitors like Facebook and MySpace.

However, LinkedIn falls short when it comes to secure access. As the last 18 months have demonstrated, the site is susceptible to identity thieves, viruses and spam—and in many ways, users who create a LinkedIn profile are more at risk than on rival sites.

In September 2010, the Better Business Bureau (BBB) reported the first phishing scam on LinkedIn. Users received suspect e-mails, stating they had “new invitations” waiting for them. The site immediately issued a statement that reiterated essential security steps one must take with online profiles, such as never opening suspicious e-mails and regularly downloading anti-virus software.

Prior to this episode LinkedIn was long touted as a much “safer” alternative for social networking. However, according to BBB spokeswoman Janet Hart, suspicious activity is inevitable on any site with a high volume of registered users. Since this scam was reported, the site has dealt with numerous security issues—and more than doubled its number of registered users.

Another security issue occurred in May 2011, when an India-based Internet security researcher named Rishi Narang reported a flaw related to how the site managed cookies (data files that permanently store information on one’s hard drive).

The use of these files was nothing new (as a security measure—most sites set their cookies to expire after a short period of time) but LinkedIn, on the other hand, set its cookies to expire after one year. In order to shield private user information, Narang said LinkedIn would have to scramble its cookies with SSL.

The site finally accomplished this in February 2012, which means LinkedIn profile holders were vulnerable for almost a year after the problem was reported—and many users did not even realize the threat.

LinkedIn users were also unaware when the site made their profiles public in August 2011. Yahoo! News reported that the site automatically opted all its users into a new social advertising program; a blog post was the only indicator of this action.

In addition, user names became available to advertisers and their inboxes were flooded with spam. If a LinkedIn user wishes to privatize their profiles, he or she must hover over the user name in the top right corner and click “Settings,” and then “Accounts.” Under “Manage Social Advertising,” the user should uncheck the box for “LinkedIn may use my name, photo in social advertising,” and then click “Save.” It should be noted that publicly shared information is the default setting.  

In addition, viruses remain a pervasive threat to online users. Last August, CNET News reported that the number of social networking site users targeted by malware had reached 18 percent—more than double the 2009 figure. LinkedIn was not immune to these attacks, and several instances have been reported within the last year.

The key to participating in social networking sites without leaving oneself exposed is how much, or little, personal information is shared publicly, known in the cyber world as a digital footprint.

"Cybercriminals continue to target social networks because they can quickly access a large pool of victims," said Webroot threat expert Jacques Erasmus in an August 2011 statement. "But our findings show that people are becoming aware of this, and they're now savvier about safeguarding their devices and the personal information they share online."

Typically, sites ask for personal data at two stages in the set-up process: registration and profile development. Information often required at these points includes a name, e-mail address, zip code, birth date and gender—all of which could potentially be used by online criminals.

In addition, LinkedIn users often upload business documents like resumes, writing samples and letters of recommendation. “When you look across all the information you’ve shared,” reported, “it’s pretty clear that any stranger with bad intentions—and access to this information—has a great head start in knowing who and where you are, and if you’re a high potential target for identity theft.”

As LinkedIn has faced phishing scams and viral attacks, users have watched private information become public without their permission. Online vulnerability is clearly still a problem and though LinkedIn has addressed its numerous issues in a punctual manner, this does not prevent new problems from arising.

Ultimately, web users must exercise caution when it comes to social networking—and making business connections, as they do on LinkedIn.

Possibly Related Articles:
Information Security
Phishing SPAM Privacy scams malware Social Engineering Social Media Cyber Crime Cookies LinkedIn Brittany Lyons
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.