LinkedIn, which debuted on the New York Stock Exchange to extreme hype and a staggering 150% stock price jump (it has since settled somewhat), may be suffering from security flaws that will tarnish its current glow.
According to an independent Internet security researcher named Rishi Narang, the professional networking website has security flaws that makes user accounts susceptible to attack by hackers who can break in—without needing passwords.
He told Reuters that this problem is a result of the way LinkedIn manages its cookie data.
Quoth The Province:
After a user enters the proper username and password to access an account, LinkedIn’s system creates a cookie “LEO-AUTH-TOKEN” on the user’s computer that serves as a key to gain access to the account. Lots of websites use such cookies, but what makes the LinkedIn cookie unusual is that it does not expire for a full year from the date it is created, Narang said.
Most commercial websites would typically design their access token cookies to expire in 24 hours, or even earlier if a user were to first log off the account, Narang said. There are some exceptions: Banking sites often log users off after five or 10 minutes of inactivity. Google gives its users the option of keeping cookies that for several weeks, but it lets the user decide first.
LinkedIn issued a statement saying it “takes the privacy and security of our members seriously,” but was unable to directly address Rishi’s concern, merely suggesting that users “choose trusted and encrypted Wi-Fi networks or VPNs.”
LinkedIn currently supports secure sockets layer, which encrypts sensitive data such account log-ins, but access token cookies are not yet scrambled with SSL.
Rishi has more details on the security issue on his blog.
Photo credit: CTV