LinkedIn Cookie Flaw Lets Attackers Login
LinkedIn joins the ranks of major Websites with serious security vulnerabilities that would allow attackers to access user accounts without needing passwords, a researcher said.
LinkedIn's vulnerability is directly tied into how it manages the login cookie that it downloads on to a user desktop, according to Rishi Narang, an independent security researcher, wrote on his wtfuzz blog May 21. After a user logs into the professional networking site, the system saves a "LEO AUTH TOKEN" cookie on the computer that acts a key to gain access to the account.
While login cookies are common, most sites expire the cookie fairly quickly, usually within 24 hours or less. Banking sites often log users off after five or ten minutes of inactivity, and Google offers the option of using cookies that keeps the user logged in for two weeks. The LinkedIn cookie does not expire for a full year from the date it is created, according to Narang.
Even though LinkedIn uses SSL (Secure Sockets Layer) to protect user data and login information, the cookies themselves are not protected. Anyone using readily available tools to sniff Internet traffic would be able to steal the contents of the cookie file, Narang said.
Narang found four cookie files with valid LinkedIn access tokens on a developer forum, posted by users asking questions. He was able to download those cookies and access those accounts from his computer. LinkedIn users have no idea they should be protecting those cookies, Narang said.
LinkedIn told Reuters that it is working on a "opt-in" SSL protection that would encrypt cookies which would be available "in the coming months." The vulnerabilities were uncovered shortly after LinkedIn's dramatic initial public offering on May 19. The long life of the LinkedIn cookie means that anyone who can get the file can save it on to their PC for full access to the account. Considering the recently uncovered IE flaw demonstrated at the Hack in the Box conference, obtaining the cookie file suddenly doesn't seem so far-fetched.
Even without exploiting the IE flaw, attackers can use Firesheep or other traffic sniffing applications, and "boom! Your account is hijacked," Narang said.
Users can expire the cookie by changing the password and logging out, Narang said.