October 31, 2014

LinkedIn can be tricked into revealing personal email addresses

linkedin(LiveHacking.Com) – Benjamin Caudill and Bryan Seely, founders of Rhino Security, have discovered an unintentional side effect of LinkedIn’s obsession with making sure you are “linked” with just about everyone you have had contact with. According to the new research, which was published in part by Brian Krebs, it is possible to troll LinkedIn and discover the email addresses of public figures including leading CEOs, celebrities and company executives.

On a normal day LinkedIn will only let you connect with users that you claim to know professionally or personally. If you don’t know some you can get an introduction via a common third party. To ensure that you are linked to everyone you know LinkedIn will optionally trawl through your Google/Yahoo/Hotmail address book to see if anyone in your address book is already using LinkedIn. Sounds great, very helpful.

The problem is that if you start to create fake email addresses in your list of contacts then LinkedIn will helpfully show you the profiles of users with addresses that match your address book. This is because LinkedIn assumes that if you have their email address then you must know the person.

Now all you need to do is populate your address book with hundreds of combinations of email addresses based on people’s names, and then add @gmail.com or @yahoo.com etc on to the end.

When you import the list of names then LinkedIn will not only show you the profiles which match the addresses, it will also tell you which addresses don’t match any known profiles. If you got lucky and found the address of a high profile user then you just need to use a process of elimination to whittle down the list of emails that didn’t match a profile and you can discover the private email address of the target LinkedIn user.

To prove their point Cludill and Seely discovered the email address of Mark Cuban, the owner of the Dallas Mavericks. Seely said they found success in locating the email addresses of other celebrities using the same method about nine times out of ten.

“We created several hundred possible addresses for Cuban in a few seconds, using a Microsoft Excel macro,” Seely said. “It’s just a brute-force guessing game, but 90 percent of people are going to use an email address that includes components of their real name.”

According to LinkedIn the company will be implementing a couple of changes over the next few weeks to alter the way the service handles email addresses.

TechRadar’s user database stolen

(LiveHacking.Com) – Following the break-in at LinkedIn, popular British technology site TechRadar.com has sent an email to its users informing them of a security breach. According to the email, user details including username, email address, date-of-birth and encrypted passwords have been stolen. It looks as if the hackers managed to breach the site via the forums. The email goes on to explain, “the forums have been closed and will remain closed until we are satisfied that there are no further issues and the forum can be safely restored to service.”

The biggest danger is not that the hackers have your password to the TechRadar site, but rather that if you use the same password on any other websites. If so, then you need change these passwords immediately. The situation was the same when LinkedIn was breached but with the added twist that user data on LinkedIn was also potentially more valuable.

As always the email contained the normal platitudes, “our IT team launched an investigation immediately and has identified the cause of the problem and taken action to rectify it.” and “we take the security of your data extremely seriously and we apologize for any inconvenience caused.”

It seems that the break-in was discovered by TechRadar itself or that it was reported privately as there doesn’t yet seem to be any news of the database being posted publicly as was in the case of LinkedIn.

The TechRadar email mentions that the passwords were “encrypted”, however there are no details on what level of encryption was used or if they were salted. The problem with the LinkedIn breach was that the passwords were stored as hashes without salt. This meant that hackers were able to decrypt a large portion of the passwords very quickly.

TechRadar says it will contact its users again shortly with instructions on how to update passwords.

LinkedIn Confirms That Millions of User Passwords Have Been Posted Online

(LiveHacking.Com) – LinkedIn has confirmed that passwords posted onto a Russian hacking forum belong to LinkedIn accounts. The hacker uploaded 6,458,020 hashed passwords, but no usernames. There is no current confirmation if the hacker obtained the usernames as well, but it is very likely that the hacker does have them but has simply chosen not to post them online. The passwords are an unsalted lists of SHA-1 hashes which should be hard to crack, however the SHA-1 algorithm isn’t fool proof and isn’t collision-free. Simple dictionary passwords will be easy enough to crack by creating the SHA-1 of the word and then looking in the password list for any examples of that hash. These 6.5 millions password examples will now be used to populate rainbow tables and will be an obvious choice for seeding a dictionary attack for any future database leaks.

LinkedIn has disabled the compromised accounts and is sending users an email with instructions on how to reset their passwords. It is worth nothing that there will not be any links in this email. This is because phishing attacks often rely on links in emails that lead to fake sites designed to trick people into typing in their password. Once the password has been reset any affected members will receive a second email providing a bit more context on this situation and why they are being asked to change their passwords.

LinkedIn has recently added some more security to their system including better hashing and salting of the password databases.

 

 

LinkedIn SSL and Cookies Vulnerability

Rishi Narang, an independent security researcher, has revealed that LinkedIn contains security vulnerabilities that could allow hackers to access user accounts. According to Rishi, “there exists multiple vulnerabilities in LinkedIn in which it handles the cookies and transmits them over SSL. This vulnerability if exploited, can result in hijacking of user accounts, and/or modifying the user information without the consent of the profile owner.”

LinkedIn (like most sites) uses session and authentication cookies to determine if a request originated from an authenticated user.

The first vulnerability discovered by Rishi is that the secure flag isn’t set on these cookies which means that the cookie will be transmitted in clear-text if the user visits any HTTP URLs (rather than HTTPS) within the cookie’s scope.

The second problem is with the expiration date of these cookies. Authenication related cookies normally expire in a few hours (or even minutes for financial related websites) but LinkedIn’s cookies expire after one year.

Rishi says that as a result, in just 15 minutes, he was able to access multiple active accounts that belonged to individuals from all over the world.

Rishi goes on to explain that an attacker can sniff the cookies from clear-text session and then use them to authenticate a new session. The attacker can then compromise and modify the information available on the user profile page.

The news of these vulnerabilities comes only days after LinkedIn went public. LinkedIn is a social-networking site for professionals with more than 100 million users and over 1,200 employees.