LinkedIn's Cookies Are Crumbling

LinkedIn user accounts are vulnerable to hacking because of the way the social networking site handles its cookies. The warning was made by Rishi Narang, a consultant at Hackers Locked, a security firm. LinkedIn, not unlike many other sites uses cookies that are stored on users' browers which facilitate log-ins without re-inputing login information, however Narang points out that the way LinkedIn handles these cookies isn't the best.

Narang says in particular there are two cookie-related vulnerabilities. The first is from LinkedIn's SSL cookies which don't use a secure SSL flag, which means that session credentials are seen in plaintext. A man-in-the-middle attack is highly possible in this scenario which could be launched by a third party website by remotely redirecting a user to the HTTPS log-in page for LinkedIn, and watching the relevant credentials being passed back and forth. All LinkedIn needs to do to fix this is use the secure flag on any cookies that are used with an HTTPS page, such as the log-in page.

The other vulnerability is that LinkedIn has set its cookies to not expire for a whole year and doesn't cancel cookies once a user logs out. With cookies in hand, a violater can then authenticate as another user. LinkedIn's said it's working on related improvements but for now, users should try to access LinkedIn over secured networks.