• The shortened URL lnkd.in was found with its TLS certificate lapsed.
  • This is the second time LinkedIn forgot to renew the certificate on time, putting user data at risk.

Professional networking website LinkedIn was found with an expired TLS certificate earlier this week. On Tuesday, some users reported that they received a warning when they tried to access LinkedIn’s website on their computers. It turned out that the site’s TLS certificate had lapsed. However, LinkedIn renewed the certificate once it was notified of the issue. The new certificate is valid for the next the two years.

What happened?

  • LinkedIn apparently forgot to renew the TLS certificate for its shortened URL lnkd.in. This was the reason users were pushed with security alerts when the site was accessed from browsers.
  • The expired certificate mainly affected desktop users of LinkedIn. However, users of the LinkedIn app were not impacted by the issue.

Second lapse since 2017

This is the second time the Microsoft-owned company failed to renew one of its security controls. Previously, in December 2017, LinkedIn let its SSL certificate expire which affected millions of users in the US, UK, and Canada.

Carl Leonard who is a Principal Security Analyst at Forcepoint was one of the users who reported this issue to LinkedIn. “Large organizations with hundreds of millions of users globally should be setting the standard for security practices and unfortunately this is the second time that LinkedIn failed to update their SSL certificate, effectively putting user data and privacy at risk,” Leonard told SecurityWeek.

Cyware Publisher