LinkedIn vulnerable, says security expert
By Ashley Curtis
24/05/2011
Employees who venture onto business networking site LinkedIn during work hours may be putting theirs and the valuable information of others at risk, reports IT Pro Portal.
Rishi Narang, a security adviser, stumbled upon the security risk when looking at how LinkedIn manages cookies. The exploit could allow hackers to break into users' accounts without even requiring a password.
According to Narang, LinkedIn creates a cookie called "LEO_AUTH_TOKEN" on the users' computers after logging into an account. This is a common practice for firms but LinkedIn stores the cookie for almost a year, thus creating a "sensitive vulnerability".
Narang explains the impact of such an exploit on wtfuzz.com: "As a result of valid cookies, an attacker can sniff the cookies from a clear-text session and then use it to authenticate its own session. He can then compromise and modify the information available at the user profile page."
Firms may want to restrict the usage of LinkedIn through programs such as network management software until the exploit is resolved.
LinkedIn confirmed is it taking steps to counter the issues, stating: "LinkedIn takes the privacy and security of our members seriously. Whether you are on LinkedIn or any other site, it's always a good idea to choose trusted and encrypted WiFi networks or VPNs (virtual private networks) whenever possible."
