A researcher found a LinkedIn feature that lets anyone create a job listing on the platform for any employer without being affiliated with the company. Unfortunately, such posts look authentic (and in a way, they are) and can’t be easily taken down by the employer.
This gives attackers new ways to post bogus listings for malicious purposes like collecting personal information and resumes from professionals for later scams or phishing campaigns or selling it to other bad actors.
Harman Singh, a security expert at Cyphere, shared information about the flawed feature with BleepingComputer this week.
“Anyone can post a job under a company’s LinkedIn account and it appears exactly the same as a job advertised by a company. I have checked it but stopped short of posting a job, but it goes fine till the preview,” Singh told BleepingComputer in an email interview.
Researchers successfully created a bogus LinkedIn job post on behalf of BleepingComputer from an unaffiliated LinkedIn account, almost anonymously.
“For example, if Google’s LinkedIn company page is vulnerable, we will be able to post a job on their behalf and add some parameters to redirect applicants to a new website where we can harvest [personal information and credentials] and what not usual tricks of social engineering,” Singh further told BleepingComputer.
The job listing would have looked authentic if it came from Google. Moreover, it did not show the user account who created the posting.
Then, by using LinkedIn’s Easy Apply feature, applicants can easily upload their resume and send it straight to a test email account. Using a test email account to collect CVs and personal information would not reveal to security experts not tools any suspicious activity on the part of the applicant or the employer, leaving little to no chance of countering such a campaign.
Although the feature is good for pen-testers and red teams for the purposes of social engineering and reconnaissance, it can be abused by threat actors to carry out phishing attacks, researchers warn.
Even worse, you cannot take down such a job posting on the company’s page even being a super admin, and admins do not have access to the details of the posted job postings either.
Fortunately, there are other steps businesses can take to prevent unauthorized job postings.
“You can manually email to the LinkedIn trust and safety team to get those options enabled that allow you to block unauthorised posts, and only allow authorised team members to post jobs,” Singh told BleepingComputer, while sharing the team’s email address: tns-SAFE@linkedin.com
This email address is not shared anywhere online, so it’s unlikely users are aware of it. It’s now up to LinkedIn to mitigate this issue and provide guidance to any impacted businesses.