{"id":7549,"date":"2011-06-02T19:57:23","date_gmt":"2011-06-02T23:57:23","guid":{"rendered":"http:\/\/rbach.net\/blog\/?p=7549"},"modified":"2021-07-18T19:33:04","modified_gmt":"2021-07-18T23:33:04","slug":"linkedin-accounts-can-be-hijacked","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/linkedin-accounts-can-be-hijacked\/","title":{"rendered":"LinkedIn Accounts can be Hijacked"},"content":{"rendered":"

\"\"<\/a><\/em>Help Net Security<\/em><\/a> has a report that users of the newly minted<\/a> public LinkedIn<\/a> (LNKD<\/a>) are in danger of having their account hijacked. The Linkedin accounts can be hacked when accessing them over insecure Wi-Fi<\/a> networks or public computers. Independent security researcher Rishi Narang told Help Net Security<\/em> that the risk is due to two reasons. First, the LinkedIn session and authentication<\/a> cookies<\/a> have an unnaturally long lifespan. Secondly, LinkedIn<\/a> does not remove the cookies once the user logs out.<\/p>\n

\"LinkedIn\"<\/a>The article says the cookies in question are JSESSIONID<\/a> and LEO_AUTH_TOKEN, and are available even after the session initiated by the user has been terminated. The cookies are also set to expire only after one solid year, and this fact allowed the researcher to get access to a number of active accounts of various people from all over the world during a period of many months. “They would have login\/logged out many times in these months but their cookie was still valid,” Mr.Narnag writes on his blog<\/a>.<\/p>\n

In addition to all of that, those two cookies and the others that the welcome page stores are transmitted in clear text<\/a> over HTTP<\/a>, because they don’t have a secure flag set. “If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic,” explains Mr. Narang.<\/p>\n

According to the researcher, until LinkedIn makes some changes, the only way to “expire” the cookies is for the users to change their password and then authenticate themselves with the new credentials. This could be a stopgap measure if you know that someone has stolen those cookies and is accessing your account, but won’t new cookies be created after the password change and authentication?<\/p>\n

Help Net Security <\/em>says that the only solution to this problem is for LinkedIn to effect some changes, and according<\/a> to Reuters<\/em><\/a>, they are planning to offer “opt-in” SSL<\/a> support for the entire site in the coming months (and that would encrypt the cookies in questions), but have not commented on the cookies have such a long lifespan.<\/p>\n

Related articles<\/h6>\n