Hacker News new | comments | show | ask | jobs | submit login
LinkedIn suffers DNS hijack (app.net)
210 points by mikegreenspan 1164 days ago | hide | past | web | 93 comments | favorite



I'm done with LinkedIn.

I've been on the fence about it for a year now. I get more recruiter spam than value.

I'm also a bit too old for the schadenfreude that accompanies news of my overpaid friends getting canned. I'm running my own race these days and I've never been happier since I stopped comparing my lot in life to the few lucky SOBs I know that survived the cull of sub-prime.

I think a better strategy is (1) your own domain and/or (2) a site on github with actual code to validate* your talents.

*I hate those "Joe Schmo supported you skill in [insert banal technical skill here]" messages. I once put down C++ because I had been working with it for a couple years. Then, I thought better (I would not take a C++ programming job. Period. Hate that language.) and took it off. Next thing I know, I've got coworkers supporting my C++ acumen and LinkedIn trying to push it back on my profile. Ugh. I call that invasive feature creep.

On top of that, they seem to leave the backdoor open a bit too much for a company with $20b market cap.


LinkedIn's value is not centered around your personal profile - it's about the other people that are linked to you and will always have an up-to-date CV/contact details for you.

It is a self-updating rolodex, Outlook Contacts list, phone book, whateveryouwanttocallit.

I really don't want to bookmark 300+ individual pages that all have different creative layouts, get moved, etc. My LinkedIn profile stays up-to-date, you update yours, that's the implicit deal. And we all profit from it. all being defined as a western work related group, english spoken. this is not facebook. Link your gitbub repo from there, absolutely, good idea, but having LinkedIn as your standardized contact info is very valuable.

is LinkedIn managed in a bad way? sure. But for some reason the modern business world has chosen it to focus on it. Xing and other local players never grew enough. the benefits of starting out it in the US. all the surrounding crap they're building is fluff, their core feature is being a global rolodex. would love to slap sense into their product management team.


Thus I've never had more than minimal info on my linkedin profile.

As of this writing, I only have my undergrad and grad school names listed. I don't think I even have my areas of study on there.

Works perfectly as a rolodex.


I don't even have that; just my name and the other required stuff. I still accept connections in the hope that I will join one day, but that seems more and more unlikely.


linked-in's value is also linked somewhat to your curiosity to check who has viewed your profile.


This feature was interesting, but on the other hand it affected my own ability to look at other people's profiles - because, no, I don't want people to know that I looked at their profile.

Which is why I completely disabled it. Having the ability to see who viewed your profile seemed cool at first, but then again, it's useless and the downsides are great.


Quick link for the setting to browse anonymously: https://www.linkedin.com/settings/?tab=profile&modal=nsettin...


+1 to pinaceae


You already upvoted him. No need to comment to that effect.


>I think a better strategy is (1) your own domain and/or (2) a site on github with actual code to validate* your talents.

That's because their target audience is not restricted to the tech savvy. Not everyone knows how to host and maintain their own domain. Not everyone uses github or know what git is.

This was basically why LinkedIn came into fruition in the first place.


I totally get it. I'm only talking about me.

I'm sure this community is generally capable of rolling their own LinkedIn.


I chose both routes. I don't particularly like like LinkedIn, but if it helps me network¹ then it's a positive tool to have until I no longer need it.

¹ yes, I also hate that word, but there you go.


> I think a better strategy is (1) your own domain and/or (2) a site on github with actual code to validate* your talents.

Possibly, but that's for programmers. There are more professions out there.

I just closed my account too. The help page said that my account would no longer be visible on LinkedIn, but after closing and logging out, I still get the "sign up to see the full profile" bait on visiting my old URL (search result from Google).


If recruiters bother you so much, why do offer them bait? Just remove your CV and replace it with a link to your personal site.


I feel a little unloved because recruiters almost never contact me on LinkedIn. I guess my skills aren't cool enough, or else it's because I do more hiring than job seeking..?

I would have thought with Java, C#, objective C, php, node, etc that I'd be a good catch but apparently not!


The DNS was not exactly hijacked, there were issues inside of LinkedIn's top level DNS provider whom were delegating www.linkedin.com authorization to unauthorized nameservers, namely NS[SOMETHING].ztomy.com. The ztomy DNS replaces its delegated domains to point to a domain parking page if there is no record exiting. These changes were then propagated to other nameservers and thus to the end user. End result, dns doesn't point where you think it does.


Au contraire; having the delegation going somewhere unwanted is practically the definition of a DNS hijack. The question is - how did that happen? A malicious third party? a blundering sysadmin? or a bug in some provisioning code?

It does sound like LinkedIn's NOC are playing the blame game already. Well, I guess they've gotta get all those spamming recruiters & sales reps back online.

EDIT: heh, maybe it was The New Guy: http://www.simplyhired.com/job-id/y5bvoz46k6


It's always the new guy, f'n new guy.


ahaha, the job posting is a good find. We'll know if you are right if tomorrow a different add asking for "Total badass, Expert guru knowledge of Bind 9"


That makes sense since we just saw the same problem with USPS realtime shipping rates via production.shippingapis.com, which seems like an odd attack target.

edit: and I mean the exact same issue, it was resolving to a confluence owned IP that was serving a squatter page for the domain.


You used a lot of the right words, but not in the right context. Could you share your source do we can get the full picture?


Can anyone think of a good reason LinkedIn didn't mark their cookies as HTTPS-only?

http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly


Because they allow HTTP, which for any sensitive site is a very bad idea. Their setup enables MITM attacks even against users that are careful to always use HTTPS for visiting LinkedIn.


They forgot?


not only are they not marked secure, but a lot of them are set to linkedin.com meaning they are sent with requests to x.linkedin.com.

considering a lot of their subdomains are still hijacked at this point those cookies are being sent to them


I often describe LinkedIn as a bunch of business people, who have a website. It's not a tech company and the hiring reflects that.



I was an engineering intern there for a summer. The interviews were as difficult as any other tech company in the valley, as was the workload. It is most certainly a tech company.


dsl, no offense, but you seem to have a problem with any company that doesn't hire/provide employment to your average local community college CS grad and instead hires globally based purely on merit.

Linkedin interviews are on par with facebook/google et al.


I don't know anything about dsl's commenting history, but this comment sounds elitist. Not sure if you meant it that way, but your point would have been made without the implication that top schools are a requirement to be globally meritorious.


Really, now the sock puppets are coming out?

I hire people purely on technical merit, I don't even bother reviewing educational credentials. I am opposed to abusing the H1-B system rather than opening offices overseas to bring in skilled labor and raise local standards of living.



Opening new offices overseas is obviously not feasible in all cases and scalable.

And I don't think companies like Linkedin, Facebook, Google etc abuse the H1-B system. People there are genuinely smart.

However, there are certain consulting companies like Accenture, Infosys, TCS, Cognizant, various body shops etc that abuse the shit out of it. The govt. should definitely be more proactive in banning these companies and not play to the likes of NASSCOM. Infact, I'd argue that the govt. should come up with a whitelist of companies to grant H1-Bs to.


Random anecdote:

One of the DNS issues I tried to fix with NIS+ was the 'maintaining a list of trusted servers' problem by distributing the management of the authoritative servers. Trust was built bottom up, and authority came top down.

The way it worked was that clients used a 'coldstart' file which was the (small number) of servers you trusted to provide your namespace lookups. You to their public key and you put it into your coldstart file. Similarly, a server put the key(s) of the servers it trusted above it in the name space in its coldstart file. And at company 'root' level was a set of servers run by a trusted authority.

Locating the authoritative name server for x.y.z from p.q.z (same as DNS root is rightmost) client in x.y.z asks its server for a trusted y.z server, gets it, and asks that server for a trusted z. server, then asks that server for a q.z. server and finally for a p.q.z. server. Once this has happened once you know trusted servers can can jump to the nearest one to start resolving a new path in the namespace.

It was slower on initial lookup and then just as fast as DNS on later ones.

It had the downside that compromised (or borked) high level servers could send you on a different path to different root if the server above them was incorrect.

It is one of the more fun problems in the whole name/directory service space.


DNS SEC doesn't seem any closer to solving this problem, unfortunately.

Do you know of any designs that require a quorum at each level prior to trust? BitCoin seems to be having success with this model, but I'm wondering if anyone's built something like that with the primary intent of creating a directory service.


I don't think they have, much of the work on directory services died when people gave up. DNS was "too hard" to change and Microsoft wasn't going to let anything make into a standard that killed off the need for Active Directory. The LDAP guys, being formerly X.500 guys, went off solving a different problem and ended up somewhat stuck between AD and DNS. Sad really.

That said, your idea about poaching the Bitcoin quorum ideas is a good one. Essentially a data structure, equivalent to the block chain, where it only gets authenticated if enough people ack that its the most valid version of reality. Probably a publishable paper in exploring that question.


I love the fact that AD, and this newer posixy clone FreeIPA essentially operate as independent but interdependent directory services: LDAP, Kerberos, and DNS, and they still need X.500 in the form of SSL CA trusts to finish gluing it all together.

You may see an email from me in the next few weeks asking for feedback on such a paper.


I guess they didn't mark their cookies as 'Secure'. Oh well, the real story here is an app.net link at #1 on HN.


Looks like app.net isn't perfect either. Their HSTS isn't implemented correctly. Only 'alpha.app.net' and 'join.app.net' are protected while 'app.net' is not. They fell into one of the common pitfalls with their http->https redirects: http://coderrr.wordpress.com/2010/12/27/canonical-redirect-p... You can verify this at: chrome://net-internals/#hsts


> Oh well, the real story here is an app.net link at #1 on HN.

I can't tell if this is sarcasm or a serious comment. Could you elaborate on this comment? I don't get why a link by app.net would be news worthy.


My understanding is app.net is trying to be a paid version of twitter. There was/is much debate whether it could ever take off. This is the first time I've ever seen someone link to it. Although now I realize that the link is to the app.net cofounder so that doesn't really say much.


OP works there according to his twitter feed.


I guess because it's not twitter!


> Oh well, the real story here is an app.net link at #1 on HN.

Looks like the app.net post was by a founder so I would take that with a grain of salt.

Edit: While I'm at it according to https://twitter.com/mikegreenspan , the submitter also works at app.net.


http://confluence-networks.com/:

Important Notice [20th June, 2013]

Confluence Networks is a Colocation & Network service provider having tie-ups with data centers across various geographical regions. We don't host any services ourselves. Starting few hours ago, we received reports about some sites (including linkedin.com) pointing to IPs allotted to our ranges. We are in touch with the affected parties & our customer to identify the root cause of this event.

Note that it has already been verified that this issue was caused due to a human error and there was NO security related issue caused by the same. More details will be provided shortly.


This isn't over yet - press dot linkedin.com (dont go there) is still pointing to the rogue server at 204.11.56.17

I'm trying to find other subdomains that might be still pointing there.

edit: i'm enumerating all the linkedin.com hosts using a dict. 80% of A records are returning the rogue IP 204.11

edit: 96 records still pointing at the rogue server, here is a dump I just uploaded:

http://pastebin.com/uc2JXPfB


What nameserver are you using?


against their primary NS ns1.linkedin.com

short TTL's on a lot of these domains

I just ran it again this time using Google name servers and still a lot of subdomains are pointing to the 214 server. confirmed it running against their NS, which means it hasn't been changed yet.


I've got my nameservice hardset through openDNS and it's resolving to 198.55.195.121, which is allocated to NASDAQ OMX according to ARIN...

The 214.-.-.- is some British Virgin Islands allocation?


I just got a message on twitter that 214.11 might be a DDoS mitigation service.. have emailed linkedin to find out what is what.


Seeing 204.11.56.17 for their A record which is

    OrgName:        Confluence Networks Inc
    OrgId:          CN
    Address:        3rd Floor, Omar Hodge Building, Wickhams
    Address:        Cay I, P.O. Box 362
    City:           Road Town
    StateProv:      Tortola
    PostalCode:     VG1110
    Country:        VG
    RegDate:        2011-04-07
    Updated:        2011-07-05


I'm getting 216.52.242.80. Looks legit:

  [prhodes@captainchaos ~]$ whois   216.52.242.80@whois.arin.net
  [Querying whois.arin.net]
  [whois.arin.net]

  #
  # ARIN WHOIS data and services are subject to the Terms of   Use
  # available at: https://www.arin.net/whois_tou.html
  #


  #
  # Query terms are ambiguous.  The query is assumed to be:
  #     "n 216.52.242.80"
  #
  # Use "?" to get help.
  #

  #
  # The following results may also be obtained via:
  # http://whois.arin.net/rest/nets;q=216.52.242.80? showDetails=true&showARIN=false&ext=netref2
  #

  LinkedIn Corporation INAP-LAX-LINKEDIN-38682 (NET-216-52-  242-0-1) 216.52.242.0 - 216.52.242.255
  Internap Network Services Corporation PNAP-8-98 (NET-216-52-0-0-1) 216.52.0.0 - 216.52.255.255


Doing an nslookup here in Vancouver, Canada got me this:

Non-authoritative answer: Name: linkedin.com Address: 216.52.242.86

Does that mean I'm still pointing to the legitimate server?


Was api.linkedin.com compromised/hijacked? If so, that means they'll need to reset a lot of OAuth token/secrets which will be very painful indeed (worse than just a site-wide session reset).


Isn't that the point of OAuth? (versus HTTP basic auth)

Your secret key shouldn't be compromised, because you're supposed to keep that secret. Also if you use HTTPS for requests you'd still get a cert error even if DNS was routing incorrectly. You're probably fine.


Indeed, I misspoke and meant to say tokens/refresh tokens. A similar thing happened for Evernote a while back and knocked down all tokens and required re-authentication across the board.


I think confluence-networks.com may be apart of Network Solutions (which is whom LinkedIn is registered with).

I had a domain (nitren.com), that I let expire after 3yrs and confluence-networks.com back ordered it, I remember looking it up a while back, but if I remember right, all the ip and domains were registered or associated with netsol.


confluence-networks.com is part of DirectI. See http://www.directi.com


I'm going to blatantly advertise my own project "RubyDNS" - it can be a lot of fun, and it is especially relevant because it allows you to perform these kinds of attacks in a controlled environment. http://www.codeotaku.com/projects/rubydns/index.en


Have you played with PowerDNS? It would be awesome to see RubyDNS rewritten as a backend.


Yeah, I've looked at it briefly. Well, RubyDNS already provides the full DNS server functionality, so I didn't really see the point.

What do you think the main benefits would be?


My traceroute is going thru prolexic.com so there might be something else at play here. "Prolexic is the world’s largest and most trusted distributed denial of service (DDoS) mitigation service provider"


I guess it's a good thing I never reset my LinkedIn password after they lost them all, so I don't have a LinkedIn account to be hijacked.


DNS hacks on big public companies seems like a big security oversite form the linkedin team. wow.

Perhaps my HTTPS anywhere extension could have helped folks.


Is HTTPS Anywhere better than HTTPS Everywhere?


While I love your HTTPS anywhere extension and thought (cough) have it installed, I was dismayed that I was allowed to connect to http://www.linkedin.com/.

Then I found out it wasn't synched over last time I changed laptops.

Installing it now. Thanks for the great work!


Does anyone have any corroboration of this?




That is from April 15th.


https://linkedin.com 301s to http://linkedin.com for me. Should I be suspicious or do browsers validate the certificate even during re-directs?


The certificate is validated before the 301 is sent.


LinkedIn has posted a statement pointing over to "the company that manages our domain" - http://linkd.in/12XMvpu


HTTPS everywhere; that's all I have to say. Something like this is very malicious and very hard to detect -- unless you ALWAYS use SSL. I noticed right away that the DNS was incorrect.


I just realised; If you opened a website with a linked in share button, your cookie might be compromised as well; you didn't even have to go the the site while under the DNS Hijack...


Can someone examine the cookies that they set and tell if there is any sensitive information (passwords?) that are hashed in there? Should we consider this a password breach?


Can they actually snarf cookies from other sites you're logged into, or would they only be able to get at your LinkedIn session cookies?


No. Cookies only get sent to the originating domain. What happened here is *.linkedin.com points to the rogue server so your cookies get passed to them instead of the real Linkedin.


How has app.net adoption been going?


fidelity.com is also not accessible. Currently traffic is routed to some domain parking page.


Appears to be corrected at this time.


It depends what nameserver you're using. At this time, I see bad results from 3 nameservers on http://www.whatsmydns.net/#A/fidelity.com

It seems this website chooses a random selection from a larger pool of nameservers, so if you refresh the page you may get different results.


Seems legit.

www.ztomy.com


ztomy.com is part of the DirectI/ResellerClub/etc. group of companies. They operate paid domain parking programs for registrars.


Weren't they asking for your email passwords the other day?


Someone turned off the 'more magic' switch...


well, certainly the photo upload still is not working, you can update your photo via their website apparently.


LinkedIn seems to be back online.


What a Hacking Idea. Seriously!


Watershed moment for ADN?


Sigh. At least they didn't leak plaintext passwords again


When did they ever leak plaintext passwords before? If you're referring to the event a year ago, that was unsalted MD5 hashes (obviously not great, but let's not hyperbolize.)


The leaked passwords were hashed and unassociated with emails.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: