Following the recent findings by Gareth Wright about Facebook iOS app storing authentication keys in a plain text file that is easily accessible even on non-jailbroken devices (allowing it to simply be copied to another device to grant access to that account) we have just discovered the same security flaw is also present in the latest version of LinkedIn iPhone app and you can also easily extract these plist files from iTunes backups.
Using a free app (in this case iExplorer) to browse the contents of your iPhone if you navigate to Apps/LinkedIn/Library/Preferences you will find a file named com.linkedin.LinkedIn.plist and this is the file in question.
Simply copying the com.linkedin.LinkedIn.plist file from one device to another and then relaunching the LinkedIn app will automatically log the user is using the account details from the cloned plist file.
I “nabbed” a copy of Gareth Wright’s LinkedIn plist (he emailed it to me) and dropped it onto my own non-jailbroken iPhone and relaunched LinkedIn.
I was instantly into Gareth’s LinkedIn Profile, I could browse all his personal messages, invitations, contacts, edit his profile and even sent myself an invite to join his network!
Here was my LinkedIn screen prior to copying the plist file over
and here it was after copying the plist and relaunching the app. At no point did it prompt me to re-enter my password or authenticate
I was able to navigate his LinkedIn profile without any issues, view all his messages, invitations, connections and even created an invitation and sent it to myself.
and here is the invitation I received
I just tried to log in to my Amazon account and didn’t notice Chrome had already pre-filled in my password so I ended up typing my password on the end of the pre-filled password and in my rush hit Enter…it logged me in!? WTF?