LinkedIn Mobile App Lock Delay: A Subtle Security Risk I Identified

Discovering a Delay in LinkedIn Mobile App Lock Security

While testing LinkedIn’s mobile app, I came across a subtle but important flaw involving the app lock feature. This feature is meant to protect user data by requiring re-authentication whenever the app is reopened.

Description of the Issue

The app lock is designed to activate immediately when you return to LinkedIn, requiring either a password or biometric verification. However, I noticed that when you open a link inside LinkedIn—like a profile link—and it opens externally in Chrome, the app lock doesn’t trigger right away after returning to LinkedIn.

Instead, there can be a delay of up to a full minute where the LinkedIn app remains unlocked and fully accessible without any authentication.

Steps to Reproduce

  1. Open the LinkedIn mobile app and log in.

  2. Click on a link inside the app (for example, a profile link) that opens in the Chrome browser.

  3. Browse in Chrome for some time.

  4. Return to the LinkedIn app.

  5. Observe that the app lock does not prompt immediately and instead allows access for up to about a minute without requiring authentication.

Security and Privacy Impact

This delay creates a vulnerability window where:

  • Someone with temporary physical access to the device could view sensitive LinkedIn data without needing to unlock the app.

  • Personal and professional information stored within LinkedIn could be exposed.

  • The expected instant security protection of the app lock is compromised, weakening user trust.

Business Impact

If left unresolved, this behavior could:

  • Lead to privacy breaches affecting millions of LinkedIn users worldwide.

  • Damage LinkedIn’s reputation for securing user data.

  • Cause users to question the effectiveness of app-level security features.

Conclusion

Even though this issue was marked as a duplicate during reporting, I think it highlights an important aspect of mobile app security: consistency. Users rely on app locks to protect their data immediately upon returning to an app, especially one like LinkedIn that holds valuable personal and business information.

Delays—even short ones—can create risks that shouldn’t be overlooked. Ensuring app lock triggers instantly helps maintain user confidence and keeps sensitive information safe.


Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Read more