By Justin Lee,May 24, 2011
A screen shot of LinkedIn's login page
(WEB HOST INDUSTRY REVIEW) -- A security analyst says that professional networking website LinkedIn (http://www.linkedin.com/) is open to security flaws that could potentially allow hackers to breach users' accounts without the need for their passwords, according to a Reuters report.
The news comes only a couple days after LinkedIn went public which resulted in the value of its stock more than doubling.
New Dehli, India-based security researcher Rishi Narang reported about the vulnerability on his blog (http://www.wtfuzz.com/) Saturday where he explained that the flaw is connected to the way LinkedIn handles its cookies.
When members fill in their correct username and password at the login screen, LinkedIn's system automatically creates a cookie "LEO_AUTH_TOKEN" on the user's computer that allows the individual to access the account.
While its a common practice for websites to use cookies for their user login, Narang said the LinkedIn cookie differs from these sites in that it does not expire for an entire year after it is created.
Narang said that most websites could easily design these cookies to last for just 24 hours or less time from when users access their accounts.
The LinkedIn cookie's year-long expiration time means that anybody who attains the file can upload it to his or her computer and access the user's account.
LinkedIn said it is currently securing their customers' accounts, adding that the website supports secure sockets layers.
However, Narag said the company's access token cookies are not currently with SSL which means that attackers could easily steal the cookies using tools for monitoring Internet traffic.
LinkedIn said that it will "opt-in" SSL support for other areas of the website, which would apply to the access cookies, "in the coming months."
Since most LinkedIn users are completely oblivious to this security problem and why it is important to protect these cookies, Narang said the flaw is particularly troubling.
Article Source http://www.thewhir.com/web-hosting-news/052411_LinkedIn_Access_Cookie_Opens_Users_to_Security_Breaches_says_Security_Analyst permits to repubish hereThe news comes only a couple days after LinkedIn went public which resulted in the value of its stock more than doubling.
New Dehli, India-based security researcher Rishi Narang reported about the vulnerability on his blog (http://www.wtfuzz.com/) Saturday where he explained that the flaw is connected to the way LinkedIn handles its cookies.
When members fill in their correct username and password at the login screen, LinkedIn's system automatically creates a cookie "LEO_AUTH_TOKEN" on the user's computer that allows the individual to access the account.
While its a common practice for websites to use cookies for their user login, Narang said the LinkedIn cookie differs from these sites in that it does not expire for an entire year after it is created.
Narang said that most websites could easily design these cookies to last for just 24 hours or less time from when users access their accounts.
The LinkedIn cookie's year-long expiration time means that anybody who attains the file can upload it to his or her computer and access the user's account.
LinkedIn said it is currently securing their customers' accounts, adding that the website supports secure sockets layers.
However, Narag said the company's access token cookies are not currently with SSL which means that attackers could easily steal the cookies using tools for monitoring Internet traffic.
LinkedIn said that it will "opt-in" SSL support for other areas of the website, which would apply to the access cookies, "in the coming months."
Since most LinkedIn users are completely oblivious to this security problem and why it is important to protect these cookies, Narang said the flaw is particularly troubling.
<<<<<<<<<<<<<
Click Most Updated Discount Coupon Codes & My Personal Web Hosting Recommendations if you are interested in those.
Stay Tuned!
<<<<<<<<<<<<
