26/09/2013
LinkedIn site has security vulnerabilities-expert
LinkedIn's professional networking website has security flaws that makes users' accounts vulnerable to attack by hackers who could break in without ever needing passwords, according to a security researcher who identified the problem.
News of the vulnerability surfaced over the weekend, only days after LinkedIn Corp (LNKD.N) went public last week with a trading debut that saw the value of its shares more than double, evoking memories of the dot.com investment boom of the late 1990s.
Rishi Narang -- an independent Internet security researcher based near New Delhi, India, who discovered the security flaw -- told Reuters on Sunday that the problem is related to the way LinkedIn manages a commonly used type of data file known as a cookie.
After a user enters the proper username and password to access an account, LinkedIn's system creates a cookie "LEO_AUTH_TOKEN" on the user's computer that serves as a key to gain access to the account.
Lots of websites use such cookies, but what makes the LinkedIn cookie unusual is that it does not expire for a full year from the date it is created, Narang said.
The long life of the LinkedIn cookie means that anybody who gets hold of that file can load it on to a PC and easily gain access to the original user's account for as much as a year.
The company issued a statement saying that it already takes steps to secure the accounts of its customers.
"LinkedIn takes the privacy and security of our members seriously," the statement said.
The company said that it currently supports SSL, or secure sockets layer, technology for encrypting certain "sensitive" data, including account logins.
But those access token cookies are not yet scrambled with SSL. That makes it possible for hackers to steal the cookies using widely available tools for sniffing Internet traffic, Narang said.
Narang said that problem is particularly acute because LinkedIn's users are not aware of the problem and have no idea that they should be protecting those cookies.
He said he found four cookies with valid LinkedIn access tokens had been uploaded to a LinkedIn developer forum by users who were posting questions about their use.
He said he downloaded those cookies and was able to access the accounts of the four LinkedIn subscribers. (Reporting by Jim Finkle; Editing by Tim Dobbyn)
