There is a possibility that LinkedIn’s security restrictions have flaws which gave cyber-criminals access to insert malware-filled attachments in the social network’s messenger service.
As the security researchers at Checkpoint say, what happens when a valid file is uploaded and sent on LinkedIn, is that the site’s security protections scan the attachment in order to find any malicious activity. But what the researchers have discovered is that attackers can bypass those security measures if the send the malicious file to the messaging service of the site.
So far, the researchers found four exploits of these vulnerabilities in the LinkedIn’s system. First one is the possibility for the attacker to create a malicious Power Shell script, which gets saved as a .pdf file that gets uploaded to the site’s CDN server. Once downloaded, the malicious file remains undetected.
The second flaw lets a hacker create a Windows registry file that has the malicious Power Shell script and hide it as a .pdf file. The victim would open the file received through LinkedIn and the crafted REG containing the malicious payload would runs, giving an attacker control over the user’s machine. From now on, the script will run each time the user logs in to his computer.
The third flaw makes it possible for a hacker to create a malicious XLSM file, embedded with Macro, disguised as an XLSX file. The Macro is a scrambled VB script shell code. The disguised file will pass the anti-virus check and then be uploaded to LinkedIn’s CDN and sent to the targeted user. Once they open the malicious XLSM file, Excel runs the VB scripts and the victim gets infected.
The very last way to hack through vulnerabilities in LinkedIn’s system is by creating a malicious DOCX file with an external object in it. Link the object to an HTA file on the server and the file gets uploaded on the LinkedIn’s CDN, going through the anti-virus check without being detected and sent to the targeted person. When the victim opens the malicious DOCX file, WINWORD automatically downloads the HTA file through the object link and runs it. Once the HTA file is executed, the victim is infected.
Checkpoint’s researchers have found and identified the four flaws and reported the discovery to LinkedIn on 14 June 2017. LinkedIn checked and confirmed the existence of the security issues and deployed a fix effective 24 June 2017.