Just days after the professional social network LinkedIn went public an independent security researcher from India has discovered a security vulnerability in the site. In a post on his personal blog, the researcher Rishi Narang says that this vulnerability could lead to a hacker gaining control over your account without even having access to the password just by being on the same network.
Cookies in case you are wondering are text based files stored on your computer by the browser. These files are used for authentication, storing preferences, etc. The ‘remember me’ functionality that many sites actually store uniquely identifiable information on your computer in the form of cookies. If anyone gains access to this cookie, your account could be compromised. This same concept was used in Firesheep, a tool that hijacks people’s Twitter and Facebook accounts just with one click on insecure and unencrypted networks. Firesheep, infact was used by a notorious attendee at a TED conference to gain control over Ashton Kutcher’s Twitter account. This prompted Twitter to introduce an option to always enable HTTPS.
The researcher demonstrated a similar flaw in LinkedIn where the LEO_AUTH_TOKEN cookie was stored without any encryption and an expiry date set to one year. Now if a hacker sniffs traffic on your network, it maybe a public wifi network or an office LAN network, this cookie can enable the hacker to log into your account.
In response to this LinkedIn has told Reuters that they plan to roll out an opt-in always-use-HTTPS feature for the users to combat hackers. Facebook and Twitter already have this option.
This news surely must have upset the celebrations going on at LinkedIn offices after their successful IPO launch where their shares opened at 84% more than what they were priced at.
LinkedIn is the latest site to have its security vulnerabilities exposed. Sony has been on the receiving end of attacks after it’s infamous act of suing George Hotz, who had successfully jail broken the PS3. CCAvenue and LastPass also suffered setbacks when some of its users data was compromised.