14 DAY TRIAL // An independent security researcher has discovered several security issues with LinkedIn session cookies which can expose users to man-in-the-middle attacks.
At the core the problems reported by New Delhi-based researcher Rishi Narang are not different than those affecting any service whose users can connect over insecure wireless networks.
However, LinkedIn's issues are accentuated by some security oversights in the way it stores authentication tokens.
As any other website that supports user accounts, LinkedIn stores session cookies inside browsers in order to remember authenticated users.
The website's session cookie is called "LEO_AUTH_TOKEN" and according to Narang, the main problem is it doesn't get removed when people log out.
This raises various issues. For example, when using shared computers, like in a library or even at a friend's house, it is no longer enough to simply log out in order to close a session.
The LEO_AUTH_TOKEN that gets left behind can be used to perform actions on behalf of the user for one year after it has been generated, because that's how long it takes for it to expire.
Most websites use session cookies that expire after a week or a month and are cleared when the user logs out.
In addition, the LEO_AUTH_TOKEN is not encrypted either, because LinkedIn does not have full-session HTTPS support yet. This means that attackers sitting on an open wireless network can launch man-in-the-middle attacks in order to steal tokens.
Because they remain valid for so long, trojan creators can also start harvesting them from infected computers and use them to hijack LinkedIn accounts.
LinkedIn told Reuters that it is working on a solution to encrypt certain sensitive information on the website, including account logins, which it will be deployed in the coming months.