Many genealogists and family historians are, like me, members of the professional social network LinkedIn. If you are, you’ll be disappointed to learn that LinkedIn is just one more major website with a serious security flaw that enables a hijacker to access user account without needing a password.
It’s vulnerability is directly tied to the management of login cookies downloaded to the users desktop.
When you log on to the networking site the system saves a “LEO AUTH TOKEN” cookie that acts as a key to gain access to your account without needing to enter your password.
Most sites use login cookies that expire the cookie within 24 hours or less. In fact, banking sites often log users if inactivity lasts 5 or 10 minutes. By contrast Google offers the option of using cookies that keep the user logged in for 2 weeks.
If 2 weeks sounds like like a long time, you’ll be surprised to learn that the LinkedIn cookies doesn’t expire for a full year from the date you create it. This sounds like an occasion where apparent convenience might not bet the way to go.
And, although LinkedIn does use SSL (Secure Sockets Layer) to protect your data and login information, the cookies are not protected. This makes it easy for anyone using traffic sniffing tools like Firesheep to monitor Web traffic can easily hijack your account and gain access to the information on a cookie file.
LinkedIn is developing an SSL”opt-in” protection to encrypt cookies. This will be available in the coming months.
It’s interesting to know that the LinkedIn vulnerabilities were discovered so soon after the widely advertised initial public offering on May 19.
There is a solution. All you need to do is to expire the cookie by changing your password and logging out.