Security expert points out cookie vulnerability flaw in LinkedIn

24 May 2011

1

Quick on the heels of its highly successful IPO, LinkedIn has come in for criticism from an Indian cyber security expert for being remiss on security.

In a published analysis of LinkedIn cookie handling, Delhi-based security researcher Rishi Narang, has pointed out two identified cookie handling problems: an SSL cookie is used without having its ''secure'' flag set, and cookies are available after the end of authenticated sessions.

The first problem concerns all cookies, including JSESSIONID and LEO_AUTH_TOKEN, being held in plain text and since ''these cookies appear to contain session information'', these cookies could be captured over an established LinkedIn session according to Narang.

The second one could be a more serious problem since cookies are retained on a machine after end of session, it could allow a malicious user to someone else's cookies to re-establish a connection to their account (an obvious example being accessing a workmate's computer).

 According to Narang, the cookies were set to persist for a year rather than being deleted at the termination of a session. ''As a result, in just 15 minutes, I was successfully able to access multiple active accounts that belong to individuals from different global locations,'' he wrote.

He addes that the cookie can be forced to expire only after a user changes the LinkedIn password, logs out, and logs in with the new password.

Business History Videos

History of hovercraft Part 3...

Today I shall talk a bit more about the military plans for ...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of hovercraft Part 2...

In this episode of our history of hovercraft, we shall exam...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Hovercraft Part 1...

If you’ve been a James Bond movie fan, you may recall seein...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Trams in India | ...

The video I am presenting to you is based on a script writt...

By Aniket Gupta | Presenter: Sheetal Gaikwad

view more