Security researcher says LinkedIn has cookie vulnerability

LinkedIn has security flaws expert claims

LinkedIn has security flaws that makes users' accounts vulnerable to hackers, according to a security researcher.

The vulnerability in the professional networking website could allow hackers to break in without using passwords, internet security researcher Rishi Narang says.

He blogged about the flaw just days after LinkedIn went public with a trading debut that saw the value of its shares more than double.

Narang, who is based near New Delhi in India, discovered the security flaw and detailed the vulnerability on his blog www.wtfuzz.com.

He told Reuters that the problem is related to the way LinkedIn manages a commonly used type of data file known as a cookie.

After a user enters the proper username and password to access an account, LinkedIn's system creates a cookie "LEO_AUTH_TOKEN" on the user's computer that serves as a key to gain access to the account.

Lots of websites use such cookies, but the LinkedIn cookie is unusual as it does not expire for a full year from the date it is created, Narang said.

Most commercial websites typically design their access token cookies to expire in 24 hours, or even earlier if a user were to first log off the account, he added.

However there are some exceptions, including banking sites which often log users off after five or 10 minutes of inactivity.

Google gives its users the option of using cookies that keep them logged on for several weeks, but it lets the user decide first.

The long life of the LinkedIn cookie means that anybody who gets hold of that file can load it on to a PC and easily gain access to the original user's account for as much as a year.

LinkedIn responded that it "takes the privacy and security of members seriously" and already takes steps to secure the accounts of its customers.

"Whether you are on LinkedIn or any other site, it's always a good idea to choose trusted and encrypted WiFi networks or VPNs (virtual private networks) whenever possible," the company said.

LinkedIn said it currently supports SSL (secure sockets layer) technology for encrypting certain "sensitive" data, including account logins.

But those access token cookies are not yet scrambled with SSL, making it possible for hackers to steal the cookies using widely available tools for sniffing internet traffic, Narang said.

LinkedIn said in its statement that it is preparing to offer "opt-in" SSL support for other parts of the site, an option that would cover encryption of those cookies.

The company said it expected that to be available "in the coming months."

It declined to respond to Narang's critique of the company's use of a cookie with a one-year expiration.

Narang said that problem is particularly acute because LinkedIn's users are not aware of the problem and have no idea that they should be protecting those cookies.

He said he found four cookies with valid LinkedIn access tokens had been uploaded to a LinkedIn developer forum by users who were posting questions about their use.

After downloading those cookies he was able to access the accounts of the four LinkedIn subscribers, he added.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close