LinkedIn SSO Flaw Bypasses Password Reset Protections

Finding a Security Flaw in LinkedIn’s Google Single Sign-On Integration

While reviewing LinkedIn’s account security features, I discovered a serious problem with how their Google Single Sign-On (SSO) works—one that could let someone bypass password resets and logouts.

Description of the Issue

Normally, when you change your LinkedIn password and select the “log out from all devices” option, you expect all your active sessions to be closed. This helps protect your account if you think someone else has access.

However, I found that if someone remains logged into the Gmail account linked to your LinkedIn, they can simply click “Sign in with Google” on LinkedIn and immediately regain access—without needing your old password or any additional verification.

This means LinkedIn trusts the active Google login session more than your explicit request to log out everywhere, which breaks the security model users rely on.

Steps to Reproduce

  1. Log into LinkedIn using Google SSO tied to your Gmail account.

  2. Change your LinkedIn password.

  3. Select “Log out from all devices” in your LinkedIn security settings.

  4. On the same device (or another with active Gmail login), go to LinkedIn and click “Sign in with Google.”

  5. Notice you regain full access without entering the LinkedIn password or verifying identity again.

Security and Privacy Impact

This behavior introduces several risks:

  • Bypassing Password Resets: Attackers or unauthorized users with Gmail access can skip LinkedIn’s logout protections.

  • Session Management Flaw: LinkedIn’s session invalidation doesn’t fully consider active SSO sessions.

  • Potential Account Takeover: Anyone with Gmail access can get back into LinkedIn, even after a forced logout.

  • Misalignment with User Intent: The user’s decision to log out everywhere is overridden by LinkedIn trusting Google sessions blindly.

Business Impact

If exploited, this flaw could:

  • Result in account hijackings and data theft.

  • Damage LinkedIn’s reputation for security and trustworthiness.

  • Cause users to lose confidence in password reset and logout features.

Conclusion

This experience taught me how important it is that Single Sign-On systems respect explicit security actions like password changes and logout requests. Users expect that when they take steps to secure their accounts, all access is truly cut off.

While this issue was reported and later marked a duplicate, I believe it highlights a crucial area for tighter security. SSO should never override a user’s intent to fully log out.


Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Read more