AN INDEPENDENT insecurity researcher says there are multiple security vulnerabilities in the business social network Linkedin, due to the way it handles and transmits cookies over SSL.
In a blog post, Rishi Narang claimed that a worst case scenario would see a hacker capturing your web browsing cookies in traffic and hijacking your account. Cookies are snippets of text that are sent to your web browser and retained in disk files, and they are used to do things like retain your account numbers, personalise information and help with services like Amazon.
He said that even if you change the password and all settings, the old cookie will be valid and will grant the attacker access to your account.
One of the problems is the availability of cookies sent in plain text over unencrypted channels of communication, posted Narang. He said this is due to SSL cookies not having a secure flag set, as well as appearing to contain session tokens.
"An attacker may be able to perform an man in the middle (MITM attack), and thus capture these cookies from an established Linkedin session." said the researcher.
"Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form https://www.linkedin.com to perform the same attack."
A second flaw relates to cookie expiration and session handling, where a cookie for an authenticated session is available even after it was supposed to have been terminated, or way beyond its expiration date.
Narang said you can access cookies, hijack authentication sessions and go on to compromise and modify user profiles.
He added, "In just 15 minutes, I was successfully able to access multiple active accounts that belong to individuals from different global locations. They would have login/logged out many a times in these months but their cookie was still valid."
Until Linkedin fixes the issue, Narang said the only viable workaround is to close the account and open it again with the same email address. This means the user identity will change and the cookie won't be valid. But this means adding all your contacts again.
A Linkedin spokesperson said, "Whether you are on Linkedin or any other site, it's always a good idea to choose trusted and encrypted Wi-Fi networks or VPNs whenever possible."
"LinkedIn takes the privacy and security of our members seriously so, among other security measures, we currently support SSL for logins and other sensitive web pages."
"In addition, we seek to improve our site's security and are, for instance, evaluating opt-in SSL support for other parts of the site and expect those to be available in the coming months. Using SSL effectively scrambles cookies sent between servers and users’ computers." µ
Halo. Is it this you're looking for?
26 June will usher in the slightly creepy world of invisible cameras
See that 10 year old computer? Yeah, that's not your friend.
Bebo? We haven't heard that name in years...