LinkedIn is careless with access cookies - Update
Security specialist Rishi Narang warns that LinkedIn has been careless with its users' access credentials and that third-parties could, therefore, easily obtain unauthorised access to other users' accounts.
For example, while LinkedIn does encrypt password transmission, it redirects users to unencrypted pages. When using the online service, components such as session cookies are consequently transmitted in unencrypted form. Attackers who manage to intercept such cookies, for instance on an unsecured Wi-Fi network, can use the cookies to obtain full access to their victims' accounts. This was impressively demonstrated by Firesheep, which caused Twitter and Facebook to introduce an option that allows users to visit all of their pages via https.
To make things worse, the access token LinkedIn stores in the LEO_AUTH_TOKEN cookie doesn't appear to expire and continues to provide full account access even after the user has logged out. According to Narang, it can even survive password changes and will only expire after a year.
The H's associates at heise Security did indeed manage to use Narang's sample script to post a LinkedIn status update even after explicitly signing out; however, posting was no longer possible after a password change. This may have been caused by LinkedIn's current efforts to review its session management, which are hinted at by the presence of a second access token that has a "secure" flag and will, therefore, only be transmitted via encrypted SSL connections.
Update 24-05-11: In a post on the official LinkedIn blog, LinkedIn Senior Director of Engineering & Security Ganesh Krishnan says that, following Narang's recent report, the company is accelerating its existing plans to extend SSL encrypting support across its entire site. However, Krishnan notes that this will be done on an opt-in basis, meaning that users need to manually enable this option. The company is also planning to reduce the lifespan of their authentication cookies in order "to better protect our members".
- Twitter adds "Always use HTTPS" option, a report from The H.
- Facebook now SSL-encrypted throughout, a report from The H.
- HTTPS Everywhere brings more encryption, a report from The H.
- Microsoft responds to Firesheep cookie-jacking tool, a report from The H.