A security flaw in the LinkedIn’s professional networking website makes users' accounts more prone to hacking without the use of passwords.
This problem surfaced only days after LinkedIn Corp, LNKD.N, went public last week with a trading debut that saw the value of its shares more than double, evoking memories of the dot.com investment boom of the late 1990s, Reuters reported.
Rishi Narang – an Internet security researcher from New Delhi, India, who discovered the security flaw -- told Reuters on Sunday that the problem is related to the way LinkedIn manages a commonly used type of data file known as a cookie.
The company issued a statement saying that it has already taken steps to secure the accounts of its customers.
LinkedIn takes the privacy and security of our members seriously, the statement said. Whether you are on LinkedIn or any other site, it's always a good idea to choose trusted and encrypted WiFi networks or VPNs (virtual private networks) whenever possible.
The company said that it currently supports SSL, or secure sockets layer, technology for encrypting certain sensitive data, including account logins.
After a user enters the proper username and password to access an account, LinkedIn's system creates a cookie like: LEO_AUTH_TOKEN on the user's computer that serves which gives access to login in to the account.
What makes the LinkedIn cookie unusual than any other cookie is that it does not expire for a full year after it has been created, Narang said. Most commercial websites are designed so that the token cookies expires in 24 hours, or even earlier if a user were to first log off the account, Narang added.
Although there are some exceptions. Banking sites often log users off after 5 or 10 minutes of inactivity. Google gives its users the option of using cookies that keep them logged on for several weeks, but it lets the user decide first.
The problem of the long life of the LinkedIn cookie is that anybody who can download the file can load it on to a PC and can gain access to the original user's account for almost a year.
But those access token cookies are not yet scrambled with SSL. That makes it possible for hackers to steal the cookies using widely available tools for sniffing Internet traffic, Narang said.
LinkedIn said that it is preparing to offer opt-in SSL support for other parts of the site, an option that would cover encryption of those cookies. The company said it expected it to be available in the coming months.
Narang said he found 4 cookies with valid LinkedIn access tokens to a LinkedIn developer forum by users who were posting questions about their use. He downloaded those cookies and was able to access the accounts of the four LinkedIn subscribers.