Cookie problems for Linkedin

The social networking site aimed at business and professional users, Linkedin may have become the latest dot com success with its IPO recently doubling the value of the business. But it seems that the network accounts could be vulnerable to a cyber attack due to fact the cookies used to store log-in data are available in plain text on an unsecure channel!

What this could mean is that a hacker could easily harvest the data contained on the cookies and to make it worse it is claimed that Linkedin are in the habit of keeping cookies active for much longer than is necessary. What this could mean, is that even if the user physically logs out from the network, the hackers can still in theory use the data to gain access.

According to the independent security researcher, Rishi Narang wrote;

“As a result of valid cookies, an attacker can sniff the cookies from clear-text session, and then use it to authenticate its own session,”

“You are in a network at the office or at home and someone captures the cookies in traffic or uses Firesheep and, boom! you are hijacked till the time LinkedIn fixes it,” he said.

“And, even though you change the password and all settings, still the old cookie is valid and will grant the attacker an access to your account. May God be with you!”

In a statement Linkedin responded to these claims with these words;

“choose trusted and encrypted Wi-Fi networks or VPNs whenever possible” followed by “LinkedIn takes the privacy and security of our members seriously. So, among other security measures, we currently support SSL for log-ins and other sensitive web pages,”

Source [V3]