LinkedIn security vulnerability
May 24, 2011
Posted by on
LinkedIn is the social network of the business world. Many people use it as an online resume or as an adjunct to any offline CV they keep updated. Last week, the company went public In an event that saw the value of its shares more than double evoking worries amongst technology experts and the stock exchange that this ongoing proof of another dot.com bubble. The last bubble was in the late 1990’s.
No sooner had the dust settled over the stock price then the announcement was made that the professional networking website has security flaws that makes users’ accounts vulnerable to attack by hackers. Rishi Narang, a security researcher from near New Delhi in India reported that an intruder could gain access to a users data without needing a password if the cookie could be obtained.
Using cookies to maintain a users session but usually expire quite quickly but the LinkedIn cookie stats valid for a whole year. After a user enters the proper username and password to access an account, LinkedIn’s system creates a cookie “LEO_AUTH_TOKEN” on the user’s computer that serves as a key to gain access to the account.
The company issued a statement saying that it already takes steps to secure the accounts of its customers.
“LinkedIn takes the privacy and security of our members seriously,” the statement said.
“Whether you are on LinkedIn or any other site, it’s always a good idea to choose trusted and encrypted WiFi networks or VPNs (virtual private networks) whenever possible.”
The company said that it currently supports SSL, or secure sockets layer, technology for encrypting certain “sensitive” data, including account logins.
But those access token cookies are not yet scrambled with SSL. That makes it possible for hackers to steal the cookies using widely available tools for sniffing Internet traffic, Narang said.