Rishi Narang, an independent security researcher, has revealed that LinkedIn contains security vulnerabilities that could allow hackers to access user accounts. According to Rishi, “there exists multiple vulnerabilities in LinkedIn in which it handles the cookies and transmits them over SSL. This vulnerability if exploited, can result in hijacking of user accounts, and/or modifying the user information without the consent of the profile owner.”
LinkedIn (like most sites) uses session and authentication cookies to determine if a request originated from an authenticated user.
The first vulnerability discovered by Rishi is that the secure flag isn’t set on these cookies which means that the cookie will be transmitted in clear-text if the user visits any HTTP URLs (rather than HTTPS) within the cookie’s scope.
The second problem is with the expiration date of these cookies. Authenication related cookies normally expire in a few hours (or even minutes for financial related websites) but LinkedIn’s cookies expire after one year.
Rishi says that as a result, in just 15 minutes, he was able to access multiple active accounts that belonged to individuals from all over the world.
Rishi goes on to explain that an attacker can sniff the cookies from clear-text session and then use them to authenticate a new session. The attacker can then compromise and modify the information available on the user profile page.
The news of these vulnerabilities comes only days after LinkedIn went public. LinkedIn is a social-networking site for professionals with more than 100 million users and over 1,200 employees.