LinkedIn hit by cookie vulnerability claims

Professional social networking site LinkedIn, which last week doubled in value just hours after an IPO, has been accused of containing cookie-related vulnerabilities which could allow hackers to hijack user accounts.

Independent security researcher Rishi Narang explained in a blog post that the first problem on the site is that all cookies, including those related to log-ins, are available in "plain text over an unencrypted channel of communication".

This means that log-in cookies could be harvested via a man-in-the-middle attack, he said.

The second major flaw is that LinkedIn keeps its cookies active for much longer than they need to be, so that even if a user has logged out, hackers could still take advantage of the above vulnerability.

"As a result of valid cookies, an attacker can sniff the cookies from clear-text session, and then use it to authenticate its own session," explained Narang.

"He can then compromise and modify the information available at the user profile page."

Narang argued that a worst case could be envisaged if hackers decide to snoop network traffic for LinkedIn cookies.

"You are in a network at the office or at home and someone captures the cookies in traffic or uses Firesheep and, boom! you are hijacked till the time LinkedIn fixes it," he said.

"And, even though you change the password and all settings, still the old cookie is valid and will grant the attacker an access to your account. May God be with you!"

Narang added that the only quick workaround available would be to completely close the account down and then reopen it with the same email address, as this will change the user ID and render the previous cookie invalid.

In a statement, LinkedIn recommended users to "choose trusted and encrypted Wi-Fi networks or VPNs whenever possible". However, it didn't address the issue of leaving cookies active for a year.

"LinkedIn takes the privacy and security of our members seriously. So, among other security measures, we currently support SSL for log-ins and other sensitive web pages," the statement noted.

"In addition, we seek to improve our site's security and are, for instance, evaluating opt-in SSL support for other parts of the site and expect those to be available in the coming months. Using SSL effectively scrambles cookies sent between servers and users' computers."

This isn't the first time the site has been hit with security problems, although it has generally had a better press than Facebook in this regard.

In 2009, a number of fake profiles containing malicious links flooded the site, while last year, a malicious email spam campaign used fake LinkedIn contact requests to trick users into downloading the information-stealing ZeuS Trojan.

The site has also been singled out by security experts as a valuable source of personal and corporate information for cyber criminals looking to research targets before they launch phishing and other attacks at certain corporate users.