Help Net Security has a report that users of the newly minted public LinkedIn (LNKD) are in danger of having their account hijacked. The Linkedin accounts can be hacked when accessing them over insecure Wi-Fi networks or public computers. Independent security researcher Rishi Narang told Help Net Security that the risk is due to two reasons. First, the LinkedIn session and authentication cookies have an unnaturally long lifespan. Secondly, LinkedIn does not remove the cookies once the user logs out.
The article says the cookies in question are JSESSIONID and LEO_AUTH_TOKEN, and are available even after the session initiated by the user has been terminated. The cookies are also set to expire only after one solid year, and this fact allowed the researcher to get access to a number of active accounts of various people from all over the world during a period of many months. “They would have login/logged out many times in these months but their cookie was still valid,” Mr.Narnag writes on his blog.
In addition to all of that, those two cookies and the others that the welcome page stores are transmitted in clear text over HTTP, because they don’t have a secure flag set. “If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic,” explains Mr. Narang.
According to the researcher, until LinkedIn makes some changes, the only way to “expire” the cookies is for the users to change their password and then authenticate themselves with the new credentials. This could be a stopgap measure if you know that someone has stolen those cookies and is accessing your account, but won’t new cookies be created after the password change and authentication?
Help Net Security says that the only solution to this problem is for LinkedIn to effect some changes, and according to Reuters, they are planning to offer “opt-in” SSL support for the entire site in the coming months (and that would encrypt the cookies in questions), but have not commented on the cookies have such a long lifespan.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
German automaker Mercedes-Benz has created the most expensive way to bake Christmas cookies. PSFK spotted this ad that uses the MB SLS AMG GT3 supercar rather than a kitchen appliance to bake holiday treats while going over the river and through the woods to grandma’s house.
