Researcher Hijacks LinkedIn Profiles Using Cookie

mask.of.sanity writes "A security researcher has demonstrated holes in the way cookies are handled on LinkedIn profiles by hijacking profiles. The session cookies are sent over unsecured HTTP and remain active for up to a year."

Re:

[al0ha]

The /. site has the same problem as the one outlined in this story; so yeah I'd pretty much have to agree with that sentiment after having let them know a long time ago and still nothing has been done about it.

Glad I don't pay for a subscription - hopefully at least there they require another token besides the one set when logging in in order to get to order and cc info; or better yet they don't save CC info.

Even so, I rarely log in to /. as in my opinion this is totally lame regardless, no site shoul

Firesheep?

[Robadob]

"The session cookies are sent over unsecured HTTP" Isn't this basically the same as the way the firefox addon firesheep worked?

Re:

[TooMuchToDo]

Yes: http://en.wikipedia.org/wiki/Firesheep [wikipedia.org]

Re:

[coolsnowmen]

Yes, in fact the guy who wrote fire sheep did it to shine light on how ubiquitous the problem was. That it doesn't do much good to have a secure authentication, if the trusted session cookie is sent in the clear. I think a technical term for this is called "sidejacking."

Re:

[IAmGarethAdams]

It closes the hole where the unencrypted *password* can be discovered, leading to not only that one session being compromised, but other sessions being compromisable too.

It's not *perfectly* good to only encrypt the login request, but it's certainly a lot better than "not much good". Security is all about layers, remember. Like an onion.

Session Cookies

[Oxford_Comma_Lover]

Meh. Most session cookies are sent over unsecured HTTP. The only reason this is coming up is the linkedin IPO.

Re:

[nedlohs]

That you exit your browser is completely irrelevant to the person who has a copy of the cookie you sent in the clear already.

Re:

[GP1911]

The session will still be valid on the server after the user closes their browser. There's no way for it to know when a user ends their browsing session. And someone capturing the session cookie could just use it immediately to keep the session active as well.

Again

[zanian]

It's the week of internet security breach articles!

Bit offtopic but facebook defaults to http now

[Anonymous Coward]

A bit off topic but I noticed Facebook seems to have made everyone HTTP and not HTTPS by default now. Check your own. I had to go in and change my settings after a mate pointed it out that its now the norm. Can anyone tell me why HTTPS is not now the default standard? Given that a lot of data is now going via unsecured public wifi hotspots it seems like its only a matter of time before it becomes a commonly used hack.

Re:

[mehrotra.akash]

probably because most apps dont work with https

Re:

[Anonymous Coward]

HTTPS is not the default standard because it requires cryptographic overhead. Your Apache web server is throwing up a bazillion pages each minute, but now has to do the same task, but while individually negotiating a secure encrypted tunnel with each client being served. It SHOULD be the default standard, but most people don't know/care what an SSL certificate is, how to actually check if their connection is secure, etc.

Re:

[speculatrix]

https allows "reuse" and some savings in crypto overhead:
http://en.wikipedia.org/wiki/Transport_Layer_Security#Resumed_TLS_handshake [wikipedia.org]

to make this work you need a "sticky" load balancer, which is trivial if you've a small web farm but if you've a large CDN it's not trivial.

Re:

[Tim C]

Not so; a lot of apps aren't available over HTTP, and so when you use one you will be prompted to switch over to HTTP. You will then remain on HTTP for the remainder of your session.

If you log out and in again, or log on in another browser (which for me logs me off the original session), you will be redirected back to HTTPS.

This assumes that you have set up your account settings to default to HTTPS of course.

Newsworthy?

[bradgoodman]

Every time someone hijacks an unsecured HTTP session by stealing a cookie - this is news?

BULLETIN: Guy leaves keys in running, unlocked card - gets stolen. News at 11.

That a good analogy?

[xMrFishx]

I prefer: Manufacturer sells key-less cars, get stolen from customers. News at 6.

Re:

[Surt]

Manufacturer sells key-less cars, customers kidnapped and held for ransom!

Re:

[xMrFishx]

Plus One, Improvement!

Re:

[Kittenman]

Ah... car analogies... I knew they'd be here somewhere.

Yeah, no shit.

[Anonymous Coward]

About a month ago my mom was asking me why she was able to add connections to MY LinkedIn profile. Obviously I'd logged in once on her computer and the cookie had been active ever since.

I'd have less of a concern with it if the cookies didn't last so FUCKING long. In fact... you should only have one active login session at a time, unless they want to create the notion of a "trusted" computer whose login cookie lasts forever. But if I don't click "remember me on this computer", having the login cookie persist for long periods of time is just dumb.

Re:

[creat3d]

Check out CookieSafe, a very handy add-on to have along with NoScript and AdBlock.

Re:

[Anonymous Coward]

There is log out link. Use it.

Re:

[antdude]

You should make another OS account and use it. :P

Re:

[Archangel Michael]

(to the rhythm of Burma Shave)

I have no skills
I have no friends
I don't have much on LinkedIn
Haven't compared
Epic Fail

Re:

[geekoid]

Bullshit.

Networking is the number 1 way to get employment. You skills only dictate the level of employment you get, and advancement.

LinkedIn is just a way to network. It's another tool. The fact is, LinkedIn has a business plan, and a way to make money; which is a hell of a lot different then the boom in the late 90s. Which was 'Sell at a loss, make up for it in volume'

LinkedIn is becoming one of the first places people check when they are thinking of hiring you.

Is there profit in LinkedIn hijacking?

[vinn01]

No profit that I can think of. Granted, 13-year-olds don't need a profit motive to deface a rivals Facebook page. But in my adult world, I don't see the attraction to the risk/reward equation of a LinkedIn hijacking.

1. hijack a LinkedIn account
2. change the account information
3. ????
4. profit

Re:

[matthew_t_west]

Right?!??! What could one possibly gain besides ruining a profile page? It's not like there's payment info there.

M

Re:Is there profit in LinkedIn hijacking?

[vlm]

But in my adult world, I don't see the attraction to the risk/reward equation of a LinkedIn hijacking.

I can come up with a couple, identify theft scenarios and a couple outright theft scenarios. All basically just social engineering with greater odds of success because of massive inside info.

"Hi HR droid, I'm vinn01, oh you saw my linkedin profile, cool, nice pic, huh? Well I need a copy of the form to add a medical insurance dependent faxed to me.. Uh huh, we named him something really trendy, Illegal Alien, yeah, what could go wrong with that?"

"Hi, travel dept, I'm vinn01 over here in slashdot editing... yes you're right I DO work for Cmdr Taco as his personal valet, uh huh, so I was wondering if you could get me a rental car for that big trip to nowheresville I've been posting about on linkedin. uh huh, well, see, uh, I'm in a big hurry, running late, and I was wondering if you could leave the rental car keys at the new receptionist's desk, I'll pick them up on my way out."

The you wanna really get creepy, you figure 1 in a 1000 "healthy young people" croak per year, and imagine you're unemployed and have all the time in the world... So you get a bunch of company sponsored life insurance beneficiaries for single people changed to your name, since they're single probably no one will even notice, as soon as one croaks in a car accident and you collect your check (described on the form as "domestic partner" I suppose) then buy your private island...

Even just simple theft. Troll until you find a mark who matches your demographics, find the newest coworker IT guy, who probably doesn't know the mark, call around to figure out the mark has the day off, walk into the office, convince the IT guy to loan the mark (actually the crook posing as the mark) a new laptop, wander off with new laptop.

Then too, you can gather info and sell it, even if its psuedo private. If we go back in time, someone at linked in has a new coworker devoted to IPO issues and they were probably hired before the IPO was publicly announced... Notice the Apple employee suddenly has a bunch of new coworkers with certain peculiar experience profiles indicating the near future release of unannounced groundbreaking product, the iLoo, certain to revolutionize plumbing, complete with an app store and a very glossy plunger...

Crooks might be lazy, but at least they're sometimes creative.

Re:

[Anonymous Coward]

it's good for spear phishing... gain access to an account, tunnel along through connections and pass off malware/spyware/trojan's as a trusted friend..

you can target people who have access to corporate and government systems to steal secrets, etc...

Re:

[FooAtWFU]

You don't think there's some vindictive asshole out there who wants to damage a professional rival's reputation and ability to conduct professional networking? Steal someone's login and send some quick messages to contacts and you could get them in *some* sort of uncomfortable situation, surely.

Using Cookie

[Culture20]

I bet I can use cookies to hijack accounts too. "A free chocolate chip cookie if you log in to example.com on this professional, secure kiosk here and do XYZ."