According to a security researcher, social network site LinkedIn is vulnerable to attack by hackers because the cookie used to grant access to accounts doesn't expire for 12 months.
According to a Reuters report, Indian based security expert Rishi Narang said the flaws make user accounts open to break-in by criminals without even requiring passwords. Narang said the problem is caused by the way LinkedIn manages cookies. Once an account is access, LinkedIn places the "LEO_AUTH_TOKEN" cookie on the user's PC. This then grants the user access to their account. Unusually this cookie does not expire for a full year from the date it is created.
Many sites - including PC Advisor - utilise cookies to allow users to remain logged in without having to constantly re-input their passwords. But the time cookies remain valid generally varies from just a few minutes for sites that allow access to financial data, to a few weeks for less sensitive sites. A full year is an unusually long time for a cookie to remain valid. If a crook got hold of the cookie file, they could log in to your LinkedIn account for the remainder of its lifetime.
LinkedIn uses SSL technology to encrypt sensitive data, but doesn't encrypt its access cookies.
In response to Narang's claims - published on his blog www.wtfuzz.com - LinkedIn released a statement, but refused to comment directly on the cookie 'flaw', saying only: "LinkedIn takes the privacy and security of our members seriously. Whether you are on LinkedIn or any other site, it's always a good idea to choose trusted and encrypted WiFi networks or VPNs (virtual private networks) whenever possible."
LinkedIn Corp went public last week.
See also: Latest internet security advice