The past few days there has been a bit of a stink about some bogus LinkedIn profiles. There have been plenty of news sources reporting that LinkedIn profiles are serving malware or making it seem like profiles are infected somehow. A few examples of that can be found here and here and here. At least The Register called these people falling for this fools. What the titles of these reports imply are dead wrong. LinkedIn profiles are not actively attacking users.
The issue is very simple, it is a hyperlink to another site that infects idiots with Malware. A hyperlink to another site, not getting attacked from viewing a profile. When you allow users to link to off-site content, you lose control of the request, however, this isn’t like allowing users to pull content in from other sites to display on their profiles. This typically has very little impact. This is no different than any other site, message board, or social network.
Give me a break, like Beyoncé Knowles has a LinkedIn page and is going to have a hyperlink on there to a place to view her nude pictures. That’s the issue these sites are referring to, dumb isn’t it? How does that get turned in to words like serving, harboring, or redirecting? These words imply some sort of active action on LinkedIn’s part, which doesn’t describe the situation here AT ALL. If you ran a message board and someone had a hyperlink to Goatse, does that mean you are serving, harboring, or redirecting to Goatse? Of course it doesn’t. This would just be an indication of your user base. I wonder how many people were brave enough to click the Goatse link above It’s not Goatse, promise.
Is there really no end of the Internet news stories this week to scare people with so people decided we should be scared of LinkedIn? This is basically spreading FUD. I personally don’t see why LinkedIn should take any heat from this. The feature of LinkedIn that allows you to link to your Company, personal site, or some other site should remain a part of LinkedIn’s features. I really hope they don’t go with something like MySpace did with the msplinks stuff. This would basically put a big obnoxious splash page up that states you are about to visit content off of the site. Yeah, well no crap I just clicked on the link so of course I want to visit the page. I personally don’t think that is a very effective control for these types of attacks anyway. The only time that control is effective is if it isn’t clear to the user that they are visiting content off the particular site they are on. I have seen in the past MySpace profiles that were compromised and the whole profile links to a bogus MySpace login page. In that case the user seeing the warning would be alerted that something is wrong, however, you are still going to have a large amount of people just cough up their credentials anyway. Sometimes all the controls in the world just can’t fix stupid. The same people that would fall for this are the same ones that click on spam emails claiming the same thing. It’s a mentality not a technical security issue.
Let me state this, if you are not a complete idiot then this issue will not affect you in the least bit. These profiles are not performing any active attacks on users of LinkedIn. There are much more scary things out there than this, trust me. Don’t fear using LinkedIn because of issues like this. LinkedIn really has a very limited feature set which lowers their attack surface. They have much less functionality that other social network such as MySpace, Facebook, Hi5, etc. Would you really care to see Beyoncé Knowles’ LinkedIn profile anyway? I bet she is boring and fake. Her LinkedIn profile would state, “I have never had to work for anything in my life and everything has been handed to me because dummies think I have talent. I love screwing over my friends and taking money out of their pockets”. She should apologize to the world for creating that DirecTV Upgrade song. Yuck! Wait a minute, she doesn’t write her own music… Anywhoo….
I can’t believe I had to write this blog post, but the sheer number of people talking about this and linking to these stories was too much. Just practice smart Internet browsing habits mixed with common sense and you will be fine. As always, I recommend using the Firefox web browser with the extensions NoScript and Adblock Plus. Have a good week, the end of the Internet is next week