Vulnerabilities / Threats
5/24/2011
01:37 PM
50%
50%

LinkedIn Faces Cookie Vulnerabilities

The social networking site is set to reduce the length of time before cookies expire and add HTTPS across its site.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack WebSessions
LinkedIn users' accounts are vulnerable to hijacking, due to the manner in which the social networking site handles its website cookies.

That security warning comes from Rishi Narang, a security consultant at website scanning firm Hackers Locked, who published an analysis of the vulnerability on Saturday.

LinkedIn is much in the news lately, owing to its initial public offering on Thursday, which by the close of the day resulted in the company being valued at $8.9 billion. But is the company paying enough attention to the security of its users?

LinkedIn, like many websites, uses cookies to store, on a PC, session information relating to anyone who uses that PC to access LinkedIn. Such cookies make it easy for users to later access LinkedIn without having to enter a username or password. But according to Narang, LinkedIn needs to handle its cookies better.

All told, there are two cookie-related vulnerabilities, he said. The first stems from LinkedIn SSL cookies not using a secure flag, which means that session credentials are sent in plaintext. As a result, they're susceptible to a man-in-the-middle attack, which could intercept these credentials. Such an attack could be launched from a third-party website by remotely redirecting a user to the HTTPS log-in page for LinkedIn, and watching the relevant credentials being passed back and forth.

A fix, however, is relatively simple: LinkedIn should use the secure flag on any cookies that are used with an HTTPS page, such as the log-in page, said Narang. "If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic," he said. "If the secure flag is not set, then the cookie will be transmitted in clear text if the user visits any HTTP URLs within the cookie's scope." Another security improvement would be for LinkedIn to restrict credentials to a specific IP address, as Gmail does. That way, if an attacker stole a credential and attempted to use it from another PC, it wouldn't work.

The second vulnerability, he said, is due to LinkedIn setting its cookies to not expire for one year--an eternity, in website time--and not canceling cookies if a user logs out. "As a result of valid cookies, an attacker can sniff the cookies from [a] clear-text session," as detailed with the prior vulnerability, said Narang. With cookies in hand, an attacker could then authenticate as the other user. "He can then compromise and modify the information available at the user profile page," he said.

Accordingly, this vulnerability rates largely as a nuisance, since LinkedIn doesn't store people's financial information. On the other hand, in the wrong hands, a LinkedIn account hijacking or defacement could be quite embarrassing. Furthermore, intercepting people's LinkedIn credentials is relatively easy--if they're using an unsecured, public Wi-Fi hotspot--by using a tool such as Firesheep.

LinkedIn said it's working on related improvements, but in the short term, recommended users avoid unsecured networks. "Whether you are on LinkedIn or any other site, it's always a good idea to choose trusted and encrypted Wi-Fi networks or VPNs whenever possible," said a LinkedIn spokesperson via email. "If one isn't available, we already support SSL for logins and other sensitive Web pages."

Going forward, he said, LinkedIn plans to support SSL--as in, HTTPS pages--across the entire site. As with Facebook, users will need to opt in. Furthermore, "we are going to reduce the lifespan of the cookies in question from 12 months to 90 days," said the spokesperson.

"LinkedIn takes the privacy and security of our members seriously, while also looking to deliver a great site experience, and we believe these two changes will allow us to strike that balance," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.