LinkedIn SSL cookies leave users vulnerable, says researcher

Professional networking website LinkedIn found to have security holes in the way it handles authentication cookies, says Indian researcher.

Professional networking Website LinkedIn has been discovered to be suffering from multiple vulnerabilities. If exploited, these can result in illegitimate access to user accounts and/or modification of user information without the profile owner’s consent. According to Rishi Narang, an independent New Delhi based security researcher who found the vulnerabilities, the problem lies in the way LinkedIn handles and transmits its authentication cookies.  Narang explains that the authentication cookies are being sent by LinkedIn in plain text over an unsecured channel, in addition to having year-long expiration dates.

The SSL cookies are sent without a set secure flag, writes Narang. This means that the cookies ‘JSESSIONID’ and ‘LEO_AUTH_TOKEN’ (which appear to contain session tokens), are available in plain text over unencrypted communication channels, which can be sniffed out of network traffic. If intercepted, these cookies could be used to authenticate a duplicate logon without the profile owner’s consent, using a man-in-the-middle (MITM) attack.

The second LinkedIn vulnerability involves cookie expiration dates. An authenticated session’s cookie is available even after the session has been terminated and beyond the date of expiry, writes Narang.  It seems that LinkedIn keeps cookies active even after a user logs off, potentially enabling an attacker to authenticate his own session.

Experts consulted by have established that the vulnerability could be used by attackers to authenticate themselves, using an established session. However, the attacker only has access to several features like viewing the profile/messages and changing status updates. LinkedIn requires users to re-authenticate themselves using their account credentials.

Narang also mentions that cookies are expired when a user resets his password, and logs on with the new password. A full disclosure of the exploit is available on Narang’s blog post.

As a response to this claim, LinkedIn announced plans to reduce the cookie expiration date from 12 months to 90 days. It also recommended that users employ encrypted WiFi networks or virtual private networks. LinkedIn has more than 100 million members worldwide.

Read more on Hackers and cybercrime prevention