LinkedIn’s exposure to SSL makes user accounts open to compromise
An autonomous researcher said there are numerous security exposures in business social network LinkedIn, due to the ways it handles and broadcast cookies over SSL (Secure Sockets Layer), a report said.
The researcher, in his blog post, declared the worst situation could be a when a hacker captures the cookies in traffic and compromise the account. Cookies can be used to retain account numbers and private information online. Even if the password and settings are changed, the old cookies will be valid and will help the attacker to get access to an account.
One of the several problems is the accessibility of cookies sent in simple text over unencrypted channels of communication and because SSL cookies do not have a secure flag set they contain session tokens. A hacker can easily get hold of these cookies from a LinkedIn session.
Another flaw relates to cookie expiration and session-handling where a cookie, for a genuine session, is available even after it was thought to have been terminated, or is beyond its expiry date.
The researcher added that until LinkedIn solves this problem the user may have to close the account and open it again using the same email address which will mean the user identity will change but the cookie will lose its validity. The user, however, will again have to add all the contacts.
A LinkedIn spokesman retaliated by saying the company handles the privacy and security of its members seriously and so they currently support SSL for logins and other sensitive web pages.
© Copyright IBTimes 2024. All rights reserved.