LinkedIn Session Management Vulnerabilty - Security Loopholes Exposed

It was only last week that LinkedIn Corporation went public. Incidentally, New Delhi based security researcher, Rishi Narang discovered a security loophole in this professional networking website over the weekend. He posted about it on #-Link-Snipped-#. The flaw in the website depicted that users' accounts are vulnerable to hacker attacks even without having access to passwords. Hackers may hijack and modify users' accounts after gaining the access.

#-Link-Snipped-#The cause of this security flaw was identified in the handling of cookies and the way they are transmitted over SSL (Secure Socket Layer). LinkedIn can be accessed over both HTTPS and HTTP connections. The sign-in page if accessed on HTTPS, redirects you to HTTP on successful authentication. After successful login, LinkedIn's system creates a cookie called "LEO_AUTH_TOKEN" on the user's machine that acts as a route to access users accounts. Once this LinkedIn cookie is created, it does not wear out or expire for complete one year, when it should get destroyed within 24 hours or so. Since the cookie is stored for so long, a hacker can use that file to make an attack on the user account,

Narang said that problem is particularly acute because LinkedIn's users are not aware of the problem and have no idea that they should be protecting those cookies. He said he found four cookies with valid LinkedIn access tokens had been uploaded to a LinkedIn developer forum by users who were posting questions about their use. He said he downloaded those cookies and was able to access the accounts of the four LinkedIn subscribers. [As Quoted by TOI ]

You can also see this video that shows session with cookie details followed by changing of password. Using old/previous cookie, one can still edit the profile:



News: #-Link-Snipped-#