Out-Law News 3 min. read

Security researcher claims LinkedIn details are insecure


Security flaws in LinkedIn's website could allow hackers access to personal information on the site without needing users' passwords, a security researcher has said.

LinkedIn is a networking site for business people. Users store profiles on the site and interact with other people and businesses. Security researcher Rishj Narang has said that flaws exist in how LinkedIn transfers users' private login information to gain access to the public site.

"There exists multiple vulnerabilities in LinkedIn in which it handles the cookies and transmits them ... This vulnerability if exploited, can result in hijacking of user accounts, and/or modifying the user information without the consent of the profile owner," Rishi Narang, a security researcher said in his blog.

'Cookies' are small text files that websites store on users' computers. The information stored on the files can identify what the user has viewed online.

The password details stored in cookie files are unencrypted and give hackers an opportunity to steal the data if it they are monitoring the users' web traffic, Narang said.

The fact that session tokens contain the LinkedIn users' login details means that hackers can access LinkedIn long after the user has logged out, Narang said.

"The cookie for an authenticated session is available even after the session has been terminated or way beyond the date of expiry (instead compared to session logout, it is valid for 1 year)," Narang said.

"In just 15 minutes, I was successfully able to access multiple active accounts that belong to individuals from different global locations. They would have login/logged out many times in these months but their cookie was still valid," Narang said.

"As a result of valid cookies, an attacker can sniff the cookies ... and then use it to authenticate its own session. He can then compromise and modify the information available at the user profile page," Narang said.

Narang says that LinkedIn users would not know if they had been victims of a hack and should change their passwords regularly to thwart hackers.

"You as a user will not come to know that the cookie is stolen or there have been any parallel login by the attacker," Narang said his blog.

"And, LinkedIn doesn’t maintain any list of IP addresses (for a user to view at his account) that are being used to access your account as does the Gmail etc. The password change and then login with new password will expire the old cookie. Only the password change, will keep the old cookie alive so you need minimum 1 time login to let the old cookie expire out," Narang said.

Internet users can 'flag' that cookie data can only be sent over secure connections. LinkedIn users should protect the information cookies hold about them, Narang said.

"The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over [a secure internet connection]," Narang said.

"If cookies are used to transmit session tokens, then areas of the application that are accessed over [a secure internet connection] should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications," the security researcher said.

LinkedIn said users who suspect they have been hacked should change their passwords immediately and said it was seeking to improve the security on the site.

"LinkedIn takes member privacy and security seriously. Unfortunately, hackers are trying different means to exploit vulnerabilities on websites, like a recent report suggested was possible," LinkedIn said in a blog post.

"We are constantly working on improving our site security measures. We are accelerating our existing plans to extend [secure technology transfer of data] support across the entire site on an opt-in basis. We are also going to reduce the lifespan of our authentication cookies to better protect our members," LinkedIn said.

LinkedIn is the latest website where security flaws have been identified. Researchers recently claimed to identify how Google's Android phones expose users' log in details, while other researchers claimed to expose flaws in how Apple store data that records where a device has been.

Other findings included claims that Facebook inadvertently allow advertisers access to users' accounts.

Earlier this month Sony reported that more than 100 million people may have had their personal data exposed by hackers who exploited flaws the company's PlayStation Network and Sony Online Entertainment system.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.