LinkedIn’s bug bounty program falls short to safeguard 500 million users

LinkedIn, according to the latest reports, has reported a critical security issue that could allow hackers to spread dangerous malware using its Messenger service.

Although LinkedIn hosts a bug bounty program wherein security researchers can report bugs directly to security@linkedin.com, this bug remained undisclosed until professionals at Checkpoint Technologies found it.

Commenting on this, Ankush Johar, Director of BugsBounty.com, said, “Checkpoint reported the bug on 14 June, 2017, but the messenger service has been running with CV functionality since 2015. It is highly possible that malicious hackers in the underground community already knew about this flaw and could have been using it to spread ransomware and other malicious programs.”

He further added, “Phishing is the most popular way of infecting systems with malware and stealing confidential information. It targets humans which have been proven to be the weakest link in cybersecurity. Such a vulnerability in a service used by over 500 million professionals worldwide could be catastrophic and may have been mitigated earlier if a public bug bounty program would have been in place just as Twitter and Facebook among others in the social networking cyberspace.”

According to the reports, the vulnerability was reported to LinkedIn on 14 June, 2017. LinkedIn verified and acknowledged the security issues and deployed a fix effective 24 June, 2017.

Where the reported vulnerability allows malicious attackers to upload malicious files disguised as CVs and send them to victims using the LinkedIn messenger.