* Expert says hackers could easily access user accounts
* LinkedIn says takes customer security seriously
* LinkedIn to boost security 'in coming months'
By Jim Finkle
BOSTON, May 22 LinkedIn's professional
networking website has security flaws that makes users'
accounts vulnerable to attack by hackers who could break in
without ever needing passwords, according to a security
researcher who identified the problem.
News of the vulnerability surfaced over the weekend, only
days after LinkedIn Corp LNKD.N went public last week with a
trading debut that saw the value of its shares more than
double, evoking memories of the dot.com investment boom of the
late 1990s. [ID:nN1939946]
Rishi Narang -- an independent Internet security researcher
based near New Delhi, India, who discovered the security flaw
-- told Reuters on Sunday that the problem is related to the
way LinkedIn manages a commonly used type of data file known as
After a user enters the proper username and password to
access an account, LinkedIn's system creates a cookie
"LEO_AUTH_TOKEN" on the user's computer that serves as a key to
gain access to the account.
Lots of websites use such cookies, but what makes the
LinkedIn cookie unusual is that it does not expire for a full
year from the date it is created, Narang said.
He detailed the vulnerability in a posting on his blog at
www.wtfuzz.com on Saturday.
Most commercial websites would typically design their
access token cookies to expire in 24 hours, or even earlier if
a user were to first log off the account, Narang said.
There are some exceptions: Banking sites often log users
off after 5 or 10 minutes of inactivity. Google gives its users
the option of using cookies that keep them logged on for
several weeks, but it lets the user decide first.
The long life of the LinkedIn cookie means that anybody who
gets hold of that file can load it on to a PC and easily gain
access to the original user's account for as much as a year.
The company issued a statement saying that it already takes
steps to secure the accounts of its customers.
"LinkedIn takes the privacy and security of our members
seriously," the statement said.
"Whether you are on LinkedIn or any other site, it's always
a good idea to choose trusted and encrypted WiFi networks or
VPNs (virtual private networks) whenever possible."
The company said that it currently supports SSL, or secure
sockets layer, technology for encrypting certain "sensitive"
data, including account logins.
But those access token cookies are not yet scrambled with
SSL. That makes it possible for hackers to steal the cookies
using widely available tools for sniffing Internet traffic,
LinkedIn said in its statement that it is preparing to
offer "opt-in" SSL support for other parts of the site, an
option that would cover encryption of those cookies. The
company said it expected that to be available "in the coming
But LinkedIn officials declined to respond to Narang's
critique of the company's use of a cookie with a one-year
Narang said that problem is particularly acute because
LinkedIn's users are not aware of the problem and have no idea
that they should be protecting those cookies.
He said he found four cookies with valid LinkedIn access
tokens had been uploaded to a LinkedIn developer forum by users
who were posting questions about their use.
He said he downloaded those cookies and was able to access
the accounts of the four LinkedIn subscribers.
(Reporting by Jim Finkle; Editing by Tim Dobbyn)