Researcher Hijacks LinkedIn Profiles Using Cookie 49
mask.of.sanity writes "A security researcher has demonstrated holes in the way cookies are handled on LinkedIn profiles by hijacking profiles. The session cookies are sent over unsecured HTTP and remain active for up to a year."
Newsworthy? (Score:2, Insightful)
BULLETIN: Guy leaves keys in running, unlocked card - gets stolen. News at 11.
Yeah, no shit. (Score:5, Insightful)
About a month ago my mom was asking me why she was able to add connections to MY LinkedIn profile. Obviously I'd logged in once on her computer and the cookie had been active ever since.
I'd have less of a concern with it if the cookies didn't last so FUCKING long. In fact... you should only have one active login session at a time, unless they want to create the notion of a "trusted" computer whose login cookie lasts forever. But if I don't click "remember me on this computer", having the login cookie persist for long periods of time is just dumb.