科技创新!
Huge LinkedIn loophole put user security at risk
If you were browsing the LinkedIn job boards this morning, you could have come across a job opening from Mashable titled “Assistant to Matt Binder.”
It's true. It would be the best job in the world...if it actually existed. Credit: Screenshot: matt binder / mashable Even though it appears right there on Mashable’s official LinkedIn business page, the company, unfortunately, is not hiring me an assistant. Mashable’s human resources department did not post that job listing. No one at the company posted the opening. The job does not exist.
So, how did it show up alongside the company’s very real, official job posts?
One of these Mashable job openings is not like the others. Credit: screenshot: matt binder / mashable Michel Rijnders, an online recruiter from the Netherlands with absolutely no connection to Mashable, posted it. (The job listing has since been taken down.)
Rijnders discovereda serious flaw embedded within a very basic LinkedIn feature that allows users to post an official looking job opening on nearly any company’s LinkedIn business page. These unofficial listings show up on a company’s “Jobs” page and look just like any other job opening posted legitimately by the organization.
Tweet may have been deleted
Earlier, Rijnders created job posts for a new Chief Executive Officer for LinkedIn and Google, something he very much has zero authority to do. Both fake listings appeared on the tech giants’ LinkedIn business pages alongside their other job openings. The listings also appeared in LinkedIn’s job search. There was no approval process required.
While LinkedIn does usually charge for posting a job listing, Rijnders, a premium LinkedIn subscriber, says he has been able to list each job opening for free.
Tweet may have been deleted
Google, which scrapes hirings from recruitment websites all over the internet, aggregated the fake opening for its CEO position to its own job platform. Sorry, actual Google CEO Sundar Pichai.
Rijnders was even able to take LinkedIn users offsite by linking his own business’ website to the “Apply” button on the job listing.
It’s easy to see how a scammer could use these fake but official-looking listings, aggregated all over the web to other trusted sources who also believe the listings to be official, for nefarious means. People hand over a lot of personal data when applying for a job.
In fact, one notable offender, a job-scraping site called Jooble, is what tipped off Rijnders to the problem to begin with.
“For a while I noticed scrapers, like Jooble, posting massive amounts of jobs at companies on LinkedIn without consent of those companies,” wrote Rijnders in an email to Mashable. “A lot of companies complained without any result. The bad thing is [the scrapers] collect the application details of applicants who think they actually apply at the company. These companies also seem to only pick smaller companies to do this with less risk of getting into trouble.”
Other LinkedIn users repliedto Rijnders’ LinkedIn post saying that they’ve brought up this problem to the company before.
SEE ALSO: LinkedIn is full of spies“Because LinkedIn didn't really seem to see this as a problem, I used the same loophole to make the problem a bit more clear and urgent to them,” he explained. “That worked.”
LinkedIn is now apparently aware of the issue.
“Thank you, Michel Rijnders, for bringing this to our attention,” wrote LinkedIn’s head of trust and safety, Paul Rockwell, in a commentunder Rijnders’ post. “We've removed the posting and we're resolving the issue that allowed this post to go live.”
“LinkedIn is a place for real people to have real conversations about their careers. It's not a place for fake jobs,” Rockwell continued. “Posting jobs without explicit permission or knowledge of another party is against our Terms of Service. We are committed to stopping fraudulent jobs from ever reaching our members through automated technology and the help of our members reporting any suspicious job postings.”
While Rijnders confirms that his fake LinkedIn and Google listings were removed by the company, he was still able to exploit the flaw to create a Mashable listing more than 24 hours after publishing his post.
UPDATE: July 26, 2019, 5:01 p.m. EDT In addition to the earlier comment from LinkedIn's head of trust and safety, Paul Rockwell, a company spokesperson sent us the following statement:
This issue was caused by a bug in our online jobs experience that allowed members to edit the company after a job had already been posted. The issue has now been resolved.
Fraudulent job postings are a clear violation of our Terms of Service. When they are brought to our attention, we quickly move to take them down.
While we do allow companies to post on behalf of other companies (such as in the case of recruiting firms), this is only permitted with the knowledge of both parties.
Regarding free job postings, we have not historically had free job postings as part of the LinkedIn experience. However, we’re running a test that allows small and medium sized businesses to post a limited number of jobs for free. This member was a part of that test.
Featured Video For You
Google Nest camera security flaw allows former owners to observe others' homes
文章
1
浏览
4
获赞
236
热门推荐
Apple now gives customers a full year to buy AppleCare+
If you bought an iPhone recently, Apple has some good news for you.Bloomberg reported Monday that foHow to balance your side hustle with a full
There are many compelling reasons to start a second job. Paying down debt, saving to travel, and jusApple Watch Series 6 puts an emphasis on tracking blood oxygen levels.
In case one new Apple Watch wasn't enough for you, Apple unveiled twoat its product event on TuesdayLorde's shushgate, explained
Compilations of Lorde shushing the crowd while singing "Writer in the Dark" have gone viral on TikToI 'walked' Boston Dynamics' robot dog around San Francisco
"What's its name?" "Can I take a photo?""What is that?"The Boston Dynamics robot dog known as Spot sApple's smallest new iPhone will be called iPhone 12 mini, leaker claims
With Apple's iPhone event (probably) happening next month, we have a pretty good idea about the phonThis easy air fryer hot dog recipe is a delicious must
There's something idyllic about hot dogs in the summertime. It's the simplest food and it always worThis school subject, folder color debate is perfect internet fodder
The internet loves to debate, argue, and flat-out fight. Twitter's core function might just be maintThis lawyer helped legalize same
Every day of Pride Month, Mashable will be sharing illuminating conversations with members of the LGTesla is first car compatible with Amazon's Ring Car Connect
Tesla owners already have Sentry Mode for car security. But for extra protection, they can buy a $20Militia used Facebook to plan kidnapping of Michigan governor, FBI claims
Violent militia groups have long had a thing for Facebook, and a newly foiled violent plot makes cleGoogle Photos gets smarter, AI
Google just launched a bunch of hardware, including two new Pixel phones, but the company has also bThe 'Cats' trailer gave everyone nightmares, so we're coping with memes
The CATStrailer dropped on Thursday and everyone is deeply uncomfortable. Many stage-to-screen produTiktok's viral air fryer bagel is a sweet nightmare
When all else fails, here is my go-to breakfast: A fried egg, tucked inside a warm corn tortilla, toTwitter updates policy on sharing hacked data after 'NY Post' mess
The disputed New York Post story about Democratic nominee Joe Biden's son,Hunter Biden, may be a dud