Linkedin SSL vulnerability leaves accounts open to hacking

    Date23 May 2011
    Posted ByAnthony Pell
    AN INDEPENDENT insecurity researcher says there are multiple security vulnerabilities in the business social network Linkedin, due to the way it handles and transmits cookies over SSL. In a blog post, Rishi Narang claimed that a worst case scenario would see a hacker capturing your web browsing cookies in traffic and hijacking your account. Cookies are snippets of text that are sent to your web browser and retained in disk files, and they are used to do things like retain your account numbers, personalise information and help with services like Amazon.

    He said that even if you change the password and all settings, the old cookie will be valid and will grant the attacker access to your account.

    One of the problems is the availability of cookies sent in plain text over unencrypted channels of communication, posted Narang. He said this is due to SSL cookies not having a secure flag set, as well as appearing to contain session tokens.

    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.