LinkedIn cookies compromise user accounts

Research claims the corporate social network could put users at risk.

LinkedIn

A security researcher has claimed LinkedIn's use of cookies leaves user accounts open to attacks.

The independent researcher, Rishi Narangreported, wrote on his blog that cookies of the social networking site for business people may be active for up to a year, meaning if a hacker can access the relevant file, they can continually access a user's account.

After the login process, LinkedIn creates a file on the user's computer which the site then uses for quicker access later on, just like cookies on many other sites. However, the extended expiry time means a bigger window of opportunity for cyber criminals.

LinkedIn uses SSL encrypting to protect data, including login details, but this does not extend to the cookies which hackers can access by monitoring traffic with sniffing' tools.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Narang also explained the cookies were active even after a user had logged out of their session.

"There are examples where cookies are accessible to hijack authenticated sessions and these cookies are months old," he said.

"In just 15 minutes, I was successfully able to access multiple active accounts that belong to individuals from different global locations. They would have logged in/logged out many times in these months but their cookie was still valid."

"Even though you change the password and all settings, still the old cookie is valid and will grant the attacker access to your account," he added.

A spokesperson from LinkedIn told IT PRO the company was looking into stronger SSL protection, but didn't go as far to say the research was right or wrong.

"LinkedIn takes the privacy and security of our members seriously so, among other security measures, we currently support SSL for logins and other sensitive web pages," they said.

Advertisement - Article continues below

"In addition, we seek to improve our site's security and are, for instance, evaluating opt-in SSL support for other parts of the site and expect those to be available in the coming months. Using SSL effectively scrambles cookies sent between servers and users' computers."

The news will come as a blow to LinkedIn after a successful week. The company went public on Friday and blew estimates of a $3 billion (1.86 billion) valuation out of the window when shares trebled. At the close of its first day trading, the social network was said to be worth $9 billion.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020