Can you imagine if you could sponsor the published content of any company page on LinkedIn? Well.. you can.
I discovered this, by chance, exploring the security features of the LinkedIn Ads platform. As a first warning, I discovered that I could create an account connected to any company page on the platform. For my test, I created a new ads account connected to the Google LinkedIn company page.
Not a big deal, I thought, as connecting the page would not necessarily mean that I would be automatically authorized to advertise on its behalf. I proceeded by filling out the details of the campaigns. When I reached the ad selection page, I couldn’t believe my eyes.
The option “Create new ad” was greyed out, however I could select the ad creative from a list of already published posts by the Google LinkedIn company page. I selected this post from the list.
I launched the campaign, and it worked! I was now advertising on behalf of Google, sponsoring one of their posts. The campaign started accruing some impressions and clicks, at which point I stopped it.
In order to test that this was not an isolated case, I replicated the test by creating a new account connected, this time, to the Prada Group company page. For this experiment I selected a “seasoned” post (2 years of age) from their published content list. And yet again, the campaign started smoothly.
It can be argued that there is no real issue here, as it would be impossible to damage a company by sponsoring its own content. If this is partly true, it is also the case that seeing very old content could confuse the users. Imagine, in particular, a situation where a company changes its standpoint in time on a certain matter, and a potential malicious actor sponsors one of its old posts, in which the company stated the opposite of its own most recent viewpoint. I can’t see how this wouldn’t cause potential havoc.
I immediately notified LinkedIn of this and I am currently waiting for an answer.
Did anyone of you ever noticed the same?
Do you think this happens by design, or did I just found a bug?
Could you think of other possible malicious exploitation scenarios?
