LinkedIn Faces Multiple Security Vulnerabilities

LinkedIn’s user profiles are vulnerable to a ‘session management nightmare’, an Indian researcher says

Over 100 million users of professional social network LinkedIn are highly exposed to data breach threats caused by old authentication cookies, according to a security researcher.

Rishi Narang, an India-based security researcher and consultant, has recently pointed out “multiple vulnerabilities” in business-oriented social network LinkedIn, only days after the company floated on the New York Stock Exchange.

Describing the situation as “a session management nightmare,” Narang told eWEEK Europe UK that social networking sites like LinkedIn and Facebook are on hackers’ hit list, as the gap between the rising number of cyber crimes and human ignorance is widening.

Authentication cookies

According to Narang, LinkedIn issues some cookies once a registered user accesses the webpage. These cookies are overwritten by a whole new set after the user successfully logs into his profile with a correct password.

Among other cookie files, the main authentication cookie known as ‘leo_auth_token’ tells the server that the user is already authenticated, and that there is no need for a password re-submission.

“Once the attacker gets hold of this cookie, he can import it in his browser and, voila, he is having your session,” Narang wrote in his email to eWEEK Europe UK, adding the hacker will be able to read and edit the user’s profile as long as this cookie is valid.

According to the researcher, this cookie will remain valid for a year. While a new set of cookies is issued whenever a user logs into his profile, the old authentication cookies are not replaced, but remain active on the server until their expiry date.

“So an attacker can anytime authenticate his connection based on your old cookie available with him and the server,” said Narang.

Encrypted cookies

With LinkedIn, each user’s password is securely sent over an encrypted channel. On the other hand, cookies, although encrypted, are sent over a plain-text channel, allowing hackers to “sniff the traffic” and get hold of these cookies.

Although they cannot decrypt the cookie files, these cyber criminals can import them onto their browser and authenticate themselves as the real account holders without the need of any password.

While calling for an urgent fix from LinkedIn, Narang also urged users to be highly aware of such security flaw and use secured browsing channels rather than trusting LinkedIn’s security control.

“Users should try restricting their browsing sessions over encrypted (password protected) Wi-Fi networks instead of open public networks,” he said, while suggesting LinkedIn keeping the expiration of cookies to 24 hours or 1-2 days maximum.

As of March 2011, the professional social network reported 100 million registered users in more than 200 countries worldwide.