Researcher finds LinkedIn security flaw

New Delhi-based security expert says LinkedIn access cookie only expires after one year, potentially allowing hacker access to user accounts without need for passwords, according to news report.
Written by Jamie Yap, Contributor on

A security researcher has warned of a vulnerability that could expose LinkedIn user accounts, news agency Reuters reported Monday.

The flaw relates to how the professional networking site manages cookies stored in user PCs after they log in to their accounts, according to Rishi Narang, who is based in New Delhi, India.

Narang, who posted the security flaw on his blog, told Reuters that unlike other Web sites which cookies typically expire within 24 hours, LinkedIn's "LEO_AUTH_TOKEN" has a validity of one year. This allows anyone who retrieves the specific file to access that particular user's account, without the need for log-in credentials.

The researcher added in the report that the problem of the one-year expiration for the cookie is "particularly acute" as LinkedIn users are not aware of this vulnerability and that they should protect the cookies.

In his blog post, Narang described a "worst-case scenario" of a hijacked user account, which can be accessed by an attacker despite a change of password or other settings because the "old cookie is [still] valid".

He also questioned in the post why LinkedIn keeps the cookie active even after a user has logged out and terminates the session.

According to Reuters, LinkedIn declined to respond to Narang's criticism of the year-long cookie validity, but issued a statement stating that it "takes the privacy and security of our members seriously".

The company also said it currently supports SSL (secure sockets layer) technology to encrypt "sensitive" data including account logins.

Narang, however, pointed out to Reuters that LinkedIn's cookies lacked SSL encryption, which means hackers can steal cookies using widely-available tools for sniffing Internet traffic.

LinkedIn, in its statement, noted that cookie encryption is expected to be available in the coming months, as part of its plans to allow users to opt in to SSL support for other parts of the site.

News of the vulnerability comes less than a week after LinkedIn scored an initial public offering of US$352.8 million, making it the first social media company to go public.

Last year, security researchers found several fake LinkedIn e-mail invitations designed to trick people into clicking links that led to the Zeus Trojan.

Editorial standards


I made a huge Apple Watch mistake
Scratches, scratches, scratches!

I made a huge Apple Watch mistake

I put the Apple Watch Ultra through a Tough Mudder: Here's how it held up

I put the Apple Watch Ultra through a Tough Mudder: Here's how it held up

The 5 best Apple Watch apps: Upgrade your watch experience

The 5 best Apple Watch apps: Upgrade your watch experience