A new LinkedIn vulnerability shows how even a small loophole from the engineering team can expose job seekers to phishing attacks.
Join the DZone community and get the full member experience. Security-related controversies are not new for LinkedIn. Here’s the latest one, which was discovered by a cybersecurity firm, Cyphere, in Aug 2021. As per the company’s report, anyone can post jobs on behalf of any company they want, without the consent or knowledge of the original company! This means hackers can post jobs impersonating a reputed company and invite the job applications, receiving thousands of CVs on the fake email address, or redirect candidates to a malicious or phishing website! Here’s how it works. Once the job is posted, even the original company’s super admin can’t do anything about it! Cyphere reached to BleepingComputer to reconfirm their claims. After verifying the claims to be credible, BleepingComputer contacted LinkedIn for their comments. Here’s the vague reply they received from LinkedIn: However, the shreds of evidence Cyphere’s researchers found prove contradictory. LinkedIn didn’t do anything further to tackle the issue. That means, the vulnerability still exists and can be exploited by anyone having a LinkedIn account. So, here’s the point where the matter takes a dangerous turn. LinkedIn gives two options to the job posters. They can either receive the CVs via emails or redirect applicants to a third-party website, which ideally should be the company’s career page.
