I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence.

Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access.

How I Discovered It

It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually created company page — something set up intentionally, perhaps even by the company itself — but it hadn’t been claimed.

At the top of the page, there was a banner saying that only an employee of the company could claim it. That seemed fair. But I decided to test what LinkedIn considered “proof” of being an employee.

I went to my profile and added this company as my current employer. After saving the change, I went back to the company page and refreshed it. To my surprise, a “Claim Page” button appeared. I clicked it, expecting some sort of verification step — but instead, I instantly had full administrative rights over the page.

No Verification at All

What shocked me most was that there was no additional check. LinkedIn didn’t ask me to confirm a company email address like @companydomain.com. I didn’t have to upload a document to prove my employment. There was no waiting period, no approval from an existing page admin, and no manual review by LinkedIn.

All I did was say I worked there, refresh the page, and click a button. That was enough to get full control.

Steps to Reproduce

If someone wanted to replicate what I did, here’s exactly how it could be done:

  1. Visit a manually created but unclaimed company page on LinkedIn.

  2. Add the company name as your current employer in your LinkedIn profile.

  3. Save your profile changes.

  4. Refresh the company’s LinkedIn page.

  5. Click “Claim Page.”

That’s it — you now have full administrative rights.

Important Details

There are two key conditions for this to work:

  • The company page must be manually created, not one of LinkedIn’s auto-generated pages.

  • The page must be unclaimed, meaning no official admin has linked it to their account yet.

Once claimed, the new “admin” gets access to everything a legitimate page owner would — the ability to edit company details, post updates, view analytics, invite followers, and manage page roles.

Why This Is a Problem

This is not just a minor oversight. It’s a serious authorization flaw. LinkedIn is trusting the content of a user’s profile without verifying it. It assumes that if someone says they work for a company, they actually do. In effect, this is like giving someone the keys to your office because they said they worked there on their résumé.

Security and Privacy Risks

The potential misuse is alarming:

  • Impersonation & Fraud — A malicious actor could take over the LinkedIn page of a real company and post as them, misleading partners, customers, or investors.

  • Phishing & Fake Job Listings — With admin control, an attacker could post fake job openings to trick applicants into sending sensitive personal information.

  • Reputation Damage — If someone uses a hijacked page to post inappropriate or false information, the company’s brand could suffer lasting harm.

  • Access to Internal Metrics — LinkedIn provides page admins with engagement statistics and audience insights. In the wrong hands, this could reveal useful data to competitors.

  • Loss of Platform Trust — LinkedIn’s credibility depends on ensuring that company pages are controlled by legitimate representatives. If this trust is broken, the platform’s professional image suffers.

Business Impact

From a business perspective, this flaw can be exploited in highly damaging ways. A competitor or disgruntled individual could seize control of a rival’s LinkedIn presence, deleting posts, altering branding, or spreading misinformation. Startups and small companies, which may not monitor their pages closely, are especially vulnerable.

Recruitment processes could also be affected. Fake job postings from a hijacked company page could not only scam individuals but also discourage real applicants from applying in the future.

This also opens the possibility for scams targeting investors. An attacker posing as the official voice of a company could announce fake funding rounds, partnerships, or product launches, influencing market perception or even stock prices.

Technical Root Cause

The core of the vulnerability lies in broken authorization logic. LinkedIn is granting administrative privileges based solely on self-declared employment data. There is no secondary validation step to confirm that the person actually works for the company they are trying to claim.

Instead, LinkedIn should implement one or more verification mechanisms, such as requiring a company email address, an approval from an existing admin, or document-based verification. Without these measures, the “Claim Page” feature is open to abuse.

Final Thoughts

This flaw shows how even a large, established platform like LinkedIn can overlook basic security checks in user workflows. While the process is convenient for legitimate employees trying to claim their company’s page, it’s equally convenient for anyone with bad intentions.

For now, the safest move for companies is to search for their page on LinkedIn and claim it immediately — before someone else does. Unclaimed pages are essentially open doors, and anyone who knows about this gap can walk right in.

Until LinkedIn changes how it verifies page ownership, this vulnerability remains a risk to both companies and the platform’s reputation.



Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more