Follow Slashdot stories on Twitter


Forgot your password?
Security Social Networks IT

Researcher Hijacks LinkedIn Profiles Using Cookie 49

mask.of.sanity writes "A security researcher has demonstrated holes in the way cookies are handled on LinkedIn profiles by hijacking profiles. The session cookies are sent over unsecured HTTP and remain active for up to a year."
This discussion has been archived. No new comments can be posted.

Researcher Hijacks LinkedIn Profiles Using Cookie

Comments Filter:
  • Firesheep? (Score:4, Interesting)

    by Robadob ( 1800074 ) on Monday May 23, 2011 @04:46PM (#36221634)
    "The session cookies are sent over unsecured HTTP" Isn't this basically the same as the way the firefox addon firesheep worked?
    • Yes, in fact the guy who wrote fire sheep did it to shine light on how ubiquitous the problem was. That it doesn't do much good to have a secure authentication, if the trusted session cookie is sent in the clear. I think a technical term for this is called "sidejacking."

      • It closes the hole where the unencrypted *password* can be discovered, leading to not only that one session being compromised, but other sessions being compromisable too.

        It's not *perfectly* good to only encrypt the login request, but it's certainly a lot better than "not much good". Security is all about layers, remember. Like an onion.

  • by Oxford_Comma_Lover ( 1679530 ) on Monday May 23, 2011 @04:49PM (#36221656)

    Meh. Most session cookies are sent over unsecured HTTP. The only reason this is coming up is the linkedin IPO.

  • It's the week of internet security breach articles!

  • A bit off topic but I noticed Facebook seems to have made everyone HTTP and not HTTPS by default now. Check your own. I had to go in and change my settings after a mate pointed it out that its now the norm. Can anyone tell me why HTTPS is not now the default standard? Given that a lot of data is now going via unsecured public wifi hotspots it seems like its only a matter of time before it becomes a commonly used hack.

    • probably because most apps dont work with https

    • Re: (Score:2, Informative)

      by Anonymous Coward

      HTTPS is not the default standard because it requires cryptographic overhead. Your Apache web server is throwing up a bazillion pages each minute, but now has to do the same task, but while individually negotiating a secure encrypted tunnel with each client being served. It SHOULD be the default standard, but most people don't know/care what an SSL certificate is, how to actually check if their connection is secure, etc.

    • by Tim C ( 15259 )

      Not so; a lot of apps aren't available over HTTP, and so when you use one you will be prompted to switch over to HTTP. You will then remain on HTTP for the remainder of your session.

      If you log out and in again, or log on in another browser (which for me logs me off the original session), you will be redirected back to HTTPS.

      This assumes that you have set up your account settings to default to HTTPS of course.

  • Newsworthy? (Score:2, Insightful)

    by bradgoodman ( 964302 )
    Every time someone hijacks an unsecured HTTP session by stealing a cookie - this is news?

    BULLETIN: Guy leaves keys in running, unlocked card - gets stolen. News at 11.

  • Yeah, no shit. (Score:5, Insightful)

    by Anonymous Coward on Monday May 23, 2011 @04:59PM (#36221776)

    About a month ago my mom was asking me why she was able to add connections to MY LinkedIn profile. Obviously I'd logged in once on her computer and the cookie had been active ever since.

    I'd have less of a concern with it if the cookies didn't last so FUCKING long. In fact... you should only have one active login session at a time, unless they want to create the notion of a "trusted" computer whose login cookie lasts forever. But if I don't click "remember me on this computer", having the login cookie persist for long periods of time is just dumb.

  • No profit that I can think of. Granted, 13-year-olds don't need a profit motive to deface a rivals Facebook page. But in my adult world, I don't see the attraction to the risk/reward equation of a LinkedIn hijacking.

    1. hijack a LinkedIn account
    2. change the account information
    3. ????
    4. profit

    • Right?!??! What could one possibly gain besides ruining a profile page? It's not like there's payment info there.


    • by vlm ( 69642 ) on Monday May 23, 2011 @05:51PM (#36222212)

      But in my adult world, I don't see the attraction to the risk/reward equation of a LinkedIn hijacking.

      I can come up with a couple, identify theft scenarios and a couple outright theft scenarios. All basically just social engineering with greater odds of success because of massive inside info.

      "Hi HR droid, I'm vinn01, oh you saw my linkedin profile, cool, nice pic, huh? Well I need a copy of the form to add a medical insurance dependent faxed to me.. Uh huh, we named him something really trendy, Illegal Alien, yeah, what could go wrong with that?"

      "Hi, travel dept, I'm vinn01 over here in slashdot editing... yes you're right I DO work for Cmdr Taco as his personal valet, uh huh, so I was wondering if you could get me a rental car for that big trip to nowheresville I've been posting about on linkedin. uh huh, well, see, uh, I'm in a big hurry, running late, and I was wondering if you could leave the rental car keys at the new receptionist's desk, I'll pick them up on my way out."

      The you wanna really get creepy, you figure 1 in a 1000 "healthy young people" croak per year, and imagine you're unemployed and have all the time in the world... So you get a bunch of company sponsored life insurance beneficiaries for single people changed to your name, since they're single probably no one will even notice, as soon as one croaks in a car accident and you collect your check (described on the form as "domestic partner" I suppose) then buy your private island...

      Even just simple theft. Troll until you find a mark who matches your demographics, find the newest coworker IT guy, who probably doesn't know the mark, call around to figure out the mark has the day off, walk into the office, convince the IT guy to loan the mark (actually the crook posing as the mark) a new laptop, wander off with new laptop.

      Then too, you can gather info and sell it, even if its psuedo private. If we go back in time, someone at linked in has a new coworker devoted to IPO issues and they were probably hired before the IPO was publicly announced... Notice the Apple employee suddenly has a bunch of new coworkers with certain peculiar experience profiles indicating the near future release of unannounced groundbreaking product, the iLoo, certain to revolutionize plumbing, complete with an app store and a very glossy plunger...

      Crooks might be lazy, but at least they're sometimes creative.

    • by Anonymous Coward

      it's good for spear phishing... gain access to an account, tunnel along through connections and pass off malware/spyware/trojan's as a trusted friend..

      you can target people who have access to corporate and government systems to steal secrets, etc...

    • You don't think there's some vindictive asshole out there who wants to damage a professional rival's reputation and ability to conduct professional networking? Steal someone's login and send some quick messages to contacts and you could get them in *some* sort of uncomfortable situation, surely.
  • I bet I can use cookies to hijack accounts too. "A free chocolate chip cookie if you log in to on this professional, secure kiosk here and do XYZ."

To do two things at once is to do neither. -- Publilius Syrus