科技创新!
Huge LinkedIn loophole put user security at risk
If you were browsing the LinkedIn job boards this morning, you could have come across a job opening from Mashable titled “Assistant to Matt Binder.”
It's true. It would be the best job in the world...if it actually existed. Credit: Screenshot: matt binder / mashable Even though it appears right there on Mashable’s official LinkedIn business page, the company, unfortunately, is not hiring me an assistant. Mashable’s human resources department did not post that job listing. No one at the company posted the opening. The job does not exist.
So, how did it show up alongside the company’s very real, official job posts?
One of these Mashable job openings is not like the others. Credit: screenshot: matt binder / mashable Michel Rijnders, an online recruiter from the Netherlands with absolutely no connection to Mashable, posted it. (The job listing has since been taken down.)
Rijnders discovereda serious flaw embedded within a very basic LinkedIn feature that allows users to post an official looking job opening on nearly any company’s LinkedIn business page. These unofficial listings show up on a company’s “Jobs” page and look just like any other job opening posted legitimately by the organization.
Tweet may have been deleted
Earlier, Rijnders created job posts for a new Chief Executive Officer for LinkedIn and Google, something he very much has zero authority to do. Both fake listings appeared on the tech giants’ LinkedIn business pages alongside their other job openings. The listings also appeared in LinkedIn’s job search. There was no approval process required.
While LinkedIn does usually charge for posting a job listing, Rijnders, a premium LinkedIn subscriber, says he has been able to list each job opening for free.
Tweet may have been deleted
Google, which scrapes hirings from recruitment websites all over the internet, aggregated the fake opening for its CEO position to its own job platform. Sorry, actual Google CEO Sundar Pichai.
Rijnders was even able to take LinkedIn users offsite by linking his own business’ website to the “Apply” button on the job listing.
It’s easy to see how a scammer could use these fake but official-looking listings, aggregated all over the web to other trusted sources who also believe the listings to be official, for nefarious means. People hand over a lot of personal data when applying for a job.
In fact, one notable offender, a job-scraping site called Jooble, is what tipped off Rijnders to the problem to begin with.
“For a while I noticed scrapers, like Jooble, posting massive amounts of jobs at companies on LinkedIn without consent of those companies,” wrote Rijnders in an email to Mashable. “A lot of companies complained without any result. The bad thing is [the scrapers] collect the application details of applicants who think they actually apply at the company. These companies also seem to only pick smaller companies to do this with less risk of getting into trouble.”
Other LinkedIn users repliedto Rijnders’ LinkedIn post saying that they’ve brought up this problem to the company before.
SEE ALSO: LinkedIn is full of spies“Because LinkedIn didn't really seem to see this as a problem, I used the same loophole to make the problem a bit more clear and urgent to them,” he explained. “That worked.”
LinkedIn is now apparently aware of the issue.
“Thank you, Michel Rijnders, for bringing this to our attention,” wrote LinkedIn’s head of trust and safety, Paul Rockwell, in a commentunder Rijnders’ post. “We've removed the posting and we're resolving the issue that allowed this post to go live.”
“LinkedIn is a place for real people to have real conversations about their careers. It's not a place for fake jobs,” Rockwell continued. “Posting jobs without explicit permission or knowledge of another party is against our Terms of Service. We are committed to stopping fraudulent jobs from ever reaching our members through automated technology and the help of our members reporting any suspicious job postings.”
While Rijnders confirms that his fake LinkedIn and Google listings were removed by the company, he was still able to exploit the flaw to create a Mashable listing more than 24 hours after publishing his post.
UPDATE: July 26, 2019, 5:01 p.m. EDT In addition to the earlier comment from LinkedIn's head of trust and safety, Paul Rockwell, a company spokesperson sent us the following statement:
This issue was caused by a bug in our online jobs experience that allowed members to edit the company after a job had already been posted. The issue has now been resolved.
Fraudulent job postings are a clear violation of our Terms of Service. When they are brought to our attention, we quickly move to take them down.
While we do allow companies to post on behalf of other companies (such as in the case of recruiting firms), this is only permitted with the knowledge of both parties.
Regarding free job postings, we have not historically had free job postings as part of the LinkedIn experience. However, we’re running a test that allows small and medium sized businesses to post a limited number of jobs for free. This member was a part of that test.
Featured Video For You
Google Nest camera security flaw allows former owners to observe others' homes
文章
94327
浏览
1
获赞
679
热门推荐
Apple promises Xbox Series X controller support on iPhone in update
Microsoft's Xbox controllers have generally been easy to use on non-Xbox devices over the years, andRepublicans vote to subpoena Facebook, Twitter CEOs in the wake of Hunter Biden story
Next Wednesday, Facebook’s Mark Zuckerberg, Twitter’s Jack Dorsey, and Google CEO SundarFlorida Governor's voter registration hacked by 20
Well, would you look at that: Someone made it slightly more difficult for voter-suppression championWhat Prop. 22 could mean for the gig economy nationwide
After Election Day in California, labor groups and coalitions of drivers were devastated. Ride-hailiNice guy Ryan Reynolds puts up a cash reward for a lost teddy bear
Beneath the snark and sass that made him such a perfect Deadpool, Ryan Reynolds seems like a lovely,Lyft and Uber saw increased use among essential workers in 2020
Before the COVID-19 pandemic, the typical Uber and Lyft rider was a younger, urban-dwelling, high-inOn TikTok, everyone wants perfect teeth
Dr. Sara Hahn starts every TikTok videothe same way: "Dr. Sara, Harvard DMD, here for a veneer check5 changes Google Maps should make for better driving directions
With the COVID-19 pandemic keeping many of us away from buses and trains (and Uber and Lyft rides),How to change your TikTok username
TikTok has evolved in the years since it was once Musical.ly. Now, instead of being purely a place fHow to move your Twitter followers to Substack
Given Twitter's change of management, you may be considering flapping your tired little wings over tOn TikTok, everyone wants perfect teeth
Dr. Sara Hahn starts every TikTok videothe same way: "Dr. Sara, Harvard DMD, here for a veneer checkApple M1 Mac users complain of Bluetooth issues
Apple's Macs with M1 processors — the new MacBook Air, 13-inch MacBook Pro, and Mac mini &mdasBask in the glory of this enormous dog getting a bath
Here's something cute: a dog. Here's something cuter: a dog getting a bath. Here's something even cuTwitter tests audio conversation 'spaces' with user moderation tools
Nothing pairs with your pinot and gruyère quite like a Twitter test feature.The social mediaCreators say YouTube Shorts has a transphobia problem
YouTube is high on the success of YouTube Shorts, a short-form video offering they introduced in Sep