14 DAY TRIAL // LinkedIn plans to mitigate the security concerns related to its session cookies by reducing their lifespan to three months and implementing HTTPS across the entire social networking site.
A few days ago a security researcher disclosed several problems with LinkedIn's authentication tokens which exposed accounts to increased hijacking risks.
As most websites, LinkedIn stores a cookie on the computers of its users when they authenticate in order to remember them as such.
Indian security researcher Rishi Narang discovered that LinkedIn's "LEO_AUTH_TOKEN" cookies are not cleared when users log out.
This poses significant problems because, if they obtain them, attackers can hijack people's accounts. For example, they can be stolen through a malware infection and since these tokens remain valid for a year, some public computers can host tens or hundreds of them.
LinkedIn plans to extend HTTPS support to the entire website and allow users to enable it on an opt-in basis. Until then, it recommends only logging in from protected Wi-Fi networks or via VPNs.
"And, we are going to reduce the lifespan of the cookies in question from 12 months to 90 days," the company said, according to The Register.
"LinkedIn takes the privacy and security of our members seriously, while also looking to deliver a great site experience, and we believe these two changes will allow us to strike that balance," it added.
The risks of transferring session cookies over open wireless networks apply to all websites that don't offer encrypted (HTTPS) connections, not only LinkedIn.
During the past year there's been an aggressive push by companies offering large online services to provide users with the option to enable full HTTPS support, either on a session-by-session basis or permanently for their account.