Narang says in particular there are two cookie-related vulnerabilities. The first is from LinkedIn's SSL cookies which don't use a secure SSL flag, which means that session credentials are seen in plaintext. A man-in-the-middle attack is highly possible in this scenario which could be launched by a third party website by remotely redirecting a user to the HTTPS log-in page for LinkedIn, and watching the relevant credentials being passed back and forth. All LinkedIn needs to do to fix this is use the secure flag on any cookies that are used with an HTTPS page, such as the log-in page.
The other vulnerability is that LinkedIn has set its cookies to not expire for a whole year and doesn't cancel cookies once a user logs out. With cookies in hand, a violater can then authenticate as another user. LinkedIn's said it's working on related improvements but for now, users should try to access LinkedIn over secured networks.
Publish date: May 25, 2011 1:30 pm| Modified date: December 18, 2013 7:53 pm