Researcher reports LinkedIn cookie vulnerability

A security researcher has warned that LinkedIn's log-in cookie has a validity of one year rather than the more standard 24 hours, according to a report

A security researcher has warned of a vulnerability that could expose LinkedIn user accounts, Reuters reported on Monday.

The flaw relates to how the professional-networking site manages cookies stored in user PCs after they log in to their accounts, according to Rishi Narang, who is based in New Delhi, India. Narang, who posted the security flaw on his blog, told Reuters that unlike other websites, which use cookies that typically expire within 24 hours, LinkedIn's "LEO_AUTH_TOKEN" has a validity of one year. This allows anyone who retrieves the specific file to access that particular user's account, without the need for log-in credentials.

The researcher added in the report that the problem of the one-year expiration for the cookie is "particularly acute" as LinkedIn users are not aware of this vulnerability and that they should take measures protect themselves.

For more on this ZDNet UK-selected story, see Researcher finds LinkedIn security flaw on ZDNet Asia.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.