Social networking - LinkedIn Cookie Flaw Lets Attackers Login - eWeek Security Watch
Security Watch
SHARE
Facebook X Pinterest WhatsApp

LinkedIn Cookie Flaw Lets Attackers Login

Written By
Fahmida Y. Rashid
Fahmida Y. Rashid
May 27, 2011
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

LinkedIn joins the ranks of major Websites with serious security vulnerabilities that would allow attackers to access user accounts without needing passwords, a researcher said.

LinkedIn’s vulnerability is directly tied into how it manages the login cookie that it downloads on to a user desktop, according to Rishi Narang, an independent security researcher, wrote on his wtfuzz blog May 21. After a user logs into the professional networking site, the system saves a “LEO AUTH TOKEN” cookie on the computer that acts a key to gain access to the account.

While login cookies are common, most sites expire the cookie fairly quickly, usually within 24 hours or less. Banking sites often log users off after five or ten minutes of inactivity, and Google offers the option of using cookies that keeps the user logged in for two weeks. The LinkedIn cookie does not expire for a full year from the date it is created, according to Narang.

Even though LinkedIn uses SSL (Secure Sockets Layer) to protect user data and login information, the cookies themselves are not protected. Anyone using readily available tools to sniff Internet traffic would be able to steal the contents of the cookie file, Narang said.

Narang found four cookie files with valid LinkedIn access tokens on a developer forum, posted by users asking questions. He was able to download those cookies and access those accounts from his computer. LinkedIn users have no idea they should be protecting those cookies, Narang said.

LinkedIn told Reuters that it is working on a “opt-in” SSL protection that would encrypt cookies which would be available “in the coming months.” The vulnerabilities were uncovered shortly after LinkedIn’s dramatic initial public offering on May 19. The long life of the LinkedIn cookie means that anyone who can get the file can save it on to their PC for full access to the account. Considering the recently uncovered IE flaw demonstrated at the Hack in the Box conference, obtaining the cookie file suddenly doesn’t seem so far-fetched.

Even without exploiting the IE flaw, attackers can use Firesheep or other traffic sniffing applications, and “boom! Your account is hijacked,” Narang said.

Users can expire the cookie by changing the password and logging out, Narang said.
Fahmida Y. Rashid
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information