Technology
Huge LinkedIn loophole puts user security at risk
If you were browsing the LinkedIn job boards this morning, you could have come across a job opening from Mashable titled “Assistant to Matt Binder.”
Even though it appears right there on Mashable’s official LinkedIn business page, the company, unfortunately, is not hiring me an assistant. Mashable’s human resources department did not post that job listing. No one at the company posted the opening. The job does not exist.
So, how did it show up alongside the company’s very real, official job posts?
Michel Rijnders, an online recruiter from the Netherlands with absolutely no connection to Mashable, posted it. (The job listing has since been taken down.)
Rijnders a serious flaw embedded within a very basic LinkedIn feature that allows users to post an official looking job opening on nearly any company’s LinkedIn business page. These unofficial listings show up on a company’s “Jobs” page and look just like any other job opening posted legitimately by the organization.
Earlier, Rijnders created job posts for a new Chief Executive Officer for LinkedIn and Google, something he very much has zero authority to do. Both fake listings appeared on the tech giants’ LinkedIn business pages alongside their other job openings. The listings also appeared in LinkedIn’s job search. There was no approval process required.
Mashable reached out to LinkedIn for comment and will update this story when it hears back.
While LinkedIn does usually charge for posting a job listing, Rijnders, a premium LinkedIn subscriber, says he has been able to list each job opening for free.
LOL. Never thought of the fact that the LinkedIn loophole would also make my jobpost for CEO of Google appear on Google Jobs. https://t.co/q5j8c2Elte
— Michel Rijnders (@rijnders) July 25, 2019
Google, which scrapes hirings from recruitment websites all over the internet, aggregated the fake opening for its CEO position to its own job platform. Sorry, actual Google CEO Sundar Pichai.
Rijnders was even able to take LinkedIn users offsite by linking his own business’ website to the “Apply” button on the job listing.
It’s easy to see how a scammer could use these fake but official-looking listings, aggregated all over the web to other trusted sources who also believe the listings to be official, for nefarious means. People hand over a lot of personal data when applying for a job.
In fact, one notable offender, a job-scraping site called Jooble, is what tipped off Rijnders to the problem to begin with.
“For a while I noticed scrapers, like Jooble, posting massive amounts of jobs at companies on LinkedIn without consent of those companies,” wrote Rijnders in an email to Mashable. “A lot of companies complained without any result. The bad thing is [the scrapers] collect the application details of applicants who think they actually apply at the company. These companies also seem to only pick smaller companies to do this with less risk of getting into trouble.”
Other LinkedIn users to Rijnders’ LinkedIn post saying that they’ve brought up this problem to the company before.
“Because LinkedIn didn’t really seem to see this as a problem, I used the same loophole to make the problem a bit more clear and urgent to them,” he explained. “That worked.”
LinkedIn is now apparently aware of the issue.
“Thank you, Michel Rijnders, for bringing this to our attention,” wrote LinkedIn’s head of trust and safety, Paul Rockwell, in under Rijnders’ post. “We’ve removed the posting and we’re resolving the issue that allowed this post to go live.”
“LinkedIn is a place for real people to have real conversations about their careers. It’s not a place for fake jobs,” Rockwell continued. “Posting jobs without explicit permission or knowledge of another party is against our Terms of Service. We are committed to stopping fraudulent jobs from ever reaching our members through automated technology and the help of our members reporting any suspicious job postings.”
While Rijnders confirms that his fake LinkedIn and Google listings were removed by the company, he was still able to exploit the flaw to create a Mashable listing more than 24 hours after publishing his post.
-
Entertainment7 days ago
WordPress.org’s login page demands you pledge loyalty to pineapple pizza
-
Entertainment6 days ago
‘Mufasa: The Lion King’ review: Can Barry Jenkins break the Disney machine?
-
Entertainment6 days ago
OpenAI’s plan to make ChatGPT the ‘everything app’ has never been more clear
-
Entertainment5 days ago
‘The Last Showgirl’ review: Pamela Anderson leads a shattering ensemble as an aging burlesque entertainer
-
Entertainment6 days ago
How to watch NFL Christmas Gameday and Beyoncé halftime
-
Entertainment5 days ago
Polyamorous influencer breakups: What happens when hypervisible relationships end
-
Entertainment4 days ago
‘The Room Next Door’ review: Tilda Swinton and Julianne Moore are magnificent
-
Entertainment4 days ago
CES 2025 preview: What to expect