Security expert points out cookie vulnerability flaw in LinkedIn
24 May 2011
Quick on the heels of its highly successful IPO, LinkedIn has come in for criticism from an Indian cyber security expert for being remiss on security.
In a published analysis of LinkedIn cookie handling, Delhi-based security researcher Rishi Narang, has pointed out two identified cookie handling problems: an SSL cookie is used without having its ''secure'' flag set, and cookies are available after the end of authenticated sessions.
The first problem concerns all cookies, including JSESSIONID and LEO_AUTH_TOKEN, being held in plain text and since ''these cookies appear to contain session information'', these cookies could be captured over an established LinkedIn session according to Narang.
The second one could be a more serious problem since cookies are retained on a machine after end of session, it could allow a malicious user to someone else's cookies to re-establish a connection to their account (an obvious example being accessing a workmate's computer).
According to Narang, the cookies were set to persist for a year rather than being deleted at the termination of a session. ''As a result, in just 15 minutes, I was successfully able to access multiple active accounts that belong to individuals from different global locations,'' he wrote.
He addes that the cookie can be forced to expire only after a user changes the LinkedIn password, logs out, and logs in with the new password.