LinkedIn Cookies Put User Accounts at Risk: Report

Dennis Faas's picture

Website LinkedIn.com has received some tough criticism as of late, after one security researcher revealed that the cookies used on the website leaves user accounts open to an online attack.

In a recent blog, independent researcher Rishi Narang warned members of the business-oriented social network that the cookies found on the site may continue to remain active for up to one year.

Extended Expiry Time Aids Hackers

Once a user completes their login procedures, LinkedIn creates a file on their computer which the site uses for quicker access later on (similar to the cookies found on many other sites).

The problem is that the LinkedIn cookies have an extended expiry time, meaning a bigger window of opportunity for cybercriminals to access these cookies, and in turn, sensitive account information. (Source: pcpro.co.uk)

Worse still, the cookies remain active even after the user has logged out of their LinkedIn session.

As Narang explained, "In just 15 minutes, I was successfully able to access multiple active accounts that belong to individuals from different global locations. They would have logged in/logged out many times in these months, but the cookie was still valid. Even though you change the password and all settings, still the old cookie is valid and will grant the attacker access to your account." (Source: itpro.co.uk)

Cookies Not Included in SSL Protection

While LinkedIn continues to use an older cryptographic protocol for encryption called Secure Sockets Layer (SSL) in order to safeguard personal data (including login details), this protection does not extend to cookies. Hackers can then weed out these cookies by monitoring traffic flow through a myriad of "sniffing" tools.

The news could not have come at a worse time for the business-based social network. The company recently went public and eclipsed early estimates of a $3 billion net worth, closing out the first day with a valuation that pointed upwards of $9 billion.

When asked for comment, one spokesperson at LinkedIn admitted that the company was looking into stronger SSL protection, but would not say whether or not Narang was correct in his assumptions concerning the cookies used on the site.

Rate this article: 
No votes yet