
LinkedIn iOS app parses HTML in the messages, and this can be used to phish for credentials or be escalated into a full blown attack.
Senior CyberSecurity Specialist Zouheir Abdallah @ZuZ (Twitter handle), has publicly and responsibly disclosed a vulnerability in LinkedIn’s mobile app. Zouheir is known for reporting a serious vulnerability in DropBox’s 2 Factor Authentication back in July 2013.
Send a message to a user with the following contentHey, Can you please view my LinkedIn profile and endorse me! Thanks! I appreciate it!
<a href=”InsertPhishingSiteHere.com”>
qa.linkedin.com/in/zouheirabdallah</a>
regards,
The iOS app will display the url without the hyperlink embedded in the HTML a href , and the receiver of the message will not even know that he is being redirected to a malicious site. This attack can be used against LinkedIn too by claiming that LinkedIn requires re-authentication to view some article on LinkedIn. This attack could also work on different devices such as Android and Blackberry, but he couldn’t test as he didn’t have other handsets at hand.
(Security Affairs – LinkedIn, hacking)





