Researcher finds LinkedIn security flaw

Researcher finds LinkedIn security flaw

Summary: New Delhi-based security expert says LinkedIn access cookie only expires after one year, potentially allowing hacker access to user accounts without need for passwords, according to news report.

SHARE:

A security researcher has warned of a vulnerability that could expose LinkedIn user accounts, news agency Reuters reported Monday.

The flaw relates to how the professional networking site manages cookies stored in user PCs after they log in to their accounts, according to Rishi Narang, who is based in New Delhi, India.

Narang, who posted the security flaw on his blog, told Reuters that unlike other Web sites which cookies typically expire within 24 hours, LinkedIn's "LEO_AUTH_TOKEN" has a validity of one year. This allows anyone who retrieves the specific file to access that particular user's account, without the need for log-in credentials.

The researcher added in the report that the problem of the one-year expiration for the cookie is "particularly acute" as LinkedIn users are not aware of this vulnerability and that they should protect the cookies.

In his blog post, Narang described a "worst-case scenario" of a hijacked user account, which can be accessed by an attacker despite a change of password or other settings because the "old cookie is [still] valid".

He also questioned in the post why LinkedIn keeps the cookie active even after a user has logged out and terminates the session.

According to Reuters, LinkedIn declined to respond to Narang's criticism of the year-long cookie validity, but issued a statement stating that it "takes the privacy and security of our members seriously".

The company also said it currently supports SSL (secure sockets layer) technology to encrypt "sensitive" data including account logins.

Narang, however, pointed out to Reuters that LinkedIn's cookies lacked SSL encryption, which means hackers can steal cookies using widely-available tools for sniffing Internet traffic.

LinkedIn, in its statement, noted that cookie encryption is expected to be available in the coming months, as part of its plans to allow users to opt in to SSL support for other parts of the site.

News of the vulnerability comes less than a week after LinkedIn scored an initial public offering of US$352.8 million, making it the first social media company to go public.

Last year, security researchers found several fake LinkedIn e-mail invitations designed to trick people into clicking links that led to the Zeus Trojan.

Topics: Security, Apps, Browser, CXO, Social Enterprise

Jamie Yap

About Jamie Yap

Jamie writes about technology, business and the most obvious intersection of the two that is software. Other variegated topics include--in one form or other--cloud, Web 2.0, apps, data, analytics, mobile, services, and the three Es: enterprises, executives and entrepreneurs. In a previous life, she was a writer covering a different but equally serious business called show business.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion