According to Indian security expert Rishi Narang, popular business networking site LinkedIn has security vulnerabilities that could lead to unauthorized account access without a password. This vulnerability it just the latest in a huge string of flaws, hacks, attacks and overall security issues around the web for the past months.
Narang told Reuters that the problem surrounds the way LinkedIn stores cookies on your system. According to him, the “LEO_AUTH_TOKEN” cookie is used as a key to access your account easily from your system. This is a common occurrence amongst websites, except that this cookie remains on your system for a full year after its creation. Normally in this situation cookies of this nature would expire after 24 hours.
The unusually long life of this file means that any hacker or person with malicious intent could obtain this file months after it was created and still easily access the account. LinkedIn has stated that it is always a good idea to use encrypted WiFi connections or VPNs, and even provides a secure SSL connection for logins; however this cookie is not protected by SSL. Narang said this makes it possible to steal the cookie using available internet sniffing tools.
Narang further went on to mention that he himself has been able to exploit this flaw, downloading four cookies from a LinkedIn developer forum from users questioning their use and then accessing the accounts thanks to information the cookie provided. Reuters say LinkedIn officials declined to respond to this discovery by Narang.