Cookie’s year-long expiry date makes users vulnerable to hacks
A New Delhi-based independent security researcher has claimed that he has discovered a security flaw in social networking site for professionals LinkedIn that could be used by hackers to access user accounts.
Rishi Narang, the researcher who identified the problem, told Reuters that the flaw is related to the way LinkedIn manages the data file known as a cookie.
Narang said that the LinkedIn’s system creates a cookie "LEO_AUTH_TOKEN" on the users computer after the username and password are entered to access an account.
However, unlike Google and many other sites that ask users whether to store the cookie or not and that store cookies only up to a few weeks, LinkedIn cookies do not expire for a full year from the date it is created, Narang said.
Anyone who gets hold of the cookie can easily gain access to the original user’s account, and can continue using it for a year. This makes users who use public or shared computers vulnerable to hacks or identity thefts.
Narang posted details of the flaw on a blog, saying, "There exists multiple vulnerabilities in LinkedIn in which it handles the cookies and transmits them over SSL. This vulnerability if exploited, can result in hijacking of user accounts, and/or modifying the user information without the consent of the profile owner."
LinkedIn has said that it takes the privacy and security of its members seriously.
With 1,288 employees and 102 million registered members, last week, LinkedIn became the first US social networking company to go public.