Over 100 million users of professional social network LinkedIn are highly exposed to data breach threats caused by old authentication cookies, according to a security researcher.
Rishi Narang, an India-based security researcher and consultant, has recently pointed out “multiple vulnerabilities” in business-oriented social network LinkedIn, only days after the company floated on the New York Stock Exchange.
Describing the situation as “a session management nightmare,” Narang told eWEEK Europe UK that social networking sites like LinkedIn and Facebook are on hackers’ hit list, as the gap between the rising number of cyber crimes and human ignorance is widening.
Among other cookie files, the main authentication cookie known as ‘leo_auth_token’ tells the server that the user is already authenticated, and that there is no need for a password re-submission.
“Once the attacker gets hold of this cookie, he can import it in his browser and, voila, he is having your session,” Narang wrote in his email to eWEEK Europe UK, adding the hacker will be able to read and edit the user’s profile as long as this cookie is valid.
According to the researcher, this cookie will remain valid for a year. While a new set of cookies is issued whenever a user logs into his profile, the old authentication cookies are not replaced, but remain active on the server until their expiry date.
“So an attacker can anytime authenticate his connection based on your old cookie available with him and the server,” said Narang.
With LinkedIn, each user’s password is securely sent over an encrypted channel. On the other hand, cookies, although encrypted, are sent over a plain-text channel, allowing hackers to “sniff the traffic” and get hold of these cookies.
Although they cannot decrypt the cookie files, these cyber criminals can import them onto their browser and authenticate themselves as the real account holders without the need of any password.
While calling for an urgent fix from LinkedIn, Narang also urged users to be highly aware of such security flaw and use secured browsing channels rather than trusting LinkedIn’s security control.
“Users should try restricting their browsing sessions over encrypted (password protected) Wi-Fi networks instead of open public networks,” he said, while suggesting LinkedIn keeping the expiration of cookies to 24 hours or 1-2 days maximum.
As of March 2011, the professional social network reported 100 million registered users in more than 200 countries worldwide.
Welcome to Silicon UK: AI for Your Business Podcast. Today, we explore how AI can…
Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…
Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…
Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…
Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…
Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…