Doesn't it seem like every week brings a new story about a security issue with a social media platform? This week, it's LinkedIn's turn.
Reuters reported that LinkedIn's professional networking website has security flaws that make users' accounts vulnerable to attack by hackers who can break in without ever needing passwords. The news of the security flaw comes on the heels of the company going public.
The problem appears to be related to the way LinkedIn manages its cookie files, Rishi Narang, an independent security researcher, discovered. Reuters reported:
After a user enters the proper user name and password to access an account, LinkedIn's system creates a cooke, "LEO_AUTH_TOKEN" on the user's computer that serves as a key to gain access to the account. Lots of websites use such cookies, but what makes the LinkedIn cookie unusual is that it does not expire for a full year from the date it is created.
Most commercial website cookies expire in 24 hours or less.
Mike Paquette, chief strategy officer at Top Layer Security, told me that the use of authentication tokens for Web-based applications, whether as browser cookies or otherwise, is an attempt to strike a balance between transaction security and user convenience. In this case, the pendulum may have swung a bit too far toward convenience. He said:
That said, it's not yet clear how much information or control attacker would gain if they were able to acquire one of these cookies. I've seen that LinkedIn does ask users to re-authenticate before being allowed to perform certain operations within the application, so perhaps this mitigates the severity of the vulnerability.
A likely attack scenario would require the attacker to have some type of physical proximity to a victim in order to steal this information in flight from say, an unencrypted or poorly encrypted Wi-Fi link. However, because this information is also on stored on the hard-drive of the user's computer, it is possible that malware, if installed on the computer, could "harvest" this information for subsequent abuse.