Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Hijacks LinkedIn Profiles Using Cookie

Posted by Unknown on from the xeroxing-your-business-cards dept.

mask.of.sanity writes "A security researcher has demonstrated holes in the way cookies are handled on LinkedIn profiles by hijacking profiles. The session cookies are sent over unsecured HTTP and remain active for up to a year."

49 comments

  1. Firesheep? by Robadob · · Score: 3, Interesting

    "The session cookies are sent over unsecured HTTP" Isn't this basically the same as the way the firefox addon firesheep worked?

    1. Re:Firesheep? by TooMuchToDo · · Score: 2

      Yes: http://en.wikipedia.org/wiki/Firesheep

    2. Re:Firesheep? by coolsnowmen · · Score: 1

      Yes, in fact the guy who wrote fire sheep did it to shine light on how ubiquitous the problem was. That it doesn't do much good to have a secure authentication, if the trusted session cookie is sent in the clear. I think a technical term for this is called "sidejacking."

    3. Re:Firesheep? by IAmGarethAdams · · Score: 1

      It closes the hole where the unencrypted *password* can be discovered, leading to not only that one session being compromised, but other sessions being compromisable too.

      It's not *perfectly* good to only encrypt the login request, but it's certainly a lot better than "not much good". Security is all about layers, remember. Like an onion.

  2. Session Cookies by Oxford_Comma_Lover · · Score: 3

    Meh. Most session cookies are sent over unsecured HTTP. The only reason this is coming up is the linkedin IPO.

    --
    -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
    1. Re:Session Cookies by Anonymous Coward · · Score: 0

      Presumably this also requires the (l)user to send 3rd party cookies.

    2. Re:Session Cookies by Anonymous Coward · · Score: 0

      Session-only cookies (wrt to the browser process, not the login) are the solution. So the one year lifetime only applies if you never exit your browser in that time. Don't know about you but my world changes more than that. :)

    3. Re:Session Cookies by nedlohs · · Score: 1

      That you exit your browser is completely irrelevant to the person who has a copy of the cookie you sent in the clear already.

    4. Re:Session Cookies by GP1911 · · Score: 2

      The session will still be valid on the server after the user closes their browser. There's no way for it to know when a user ends their browsing session. And someone capturing the session cookie could just use it immediately to keep the session active as well.

    5. Re:Session Cookies by Anonymous Coward · · Score: 0

      Your solution sucks and has exploits. Please do not work on anything IT related for a while. Thank you.

  3. Again by zanian · · Score: 1

    It's the week of internet security breach articles!

    1. Re:Again by Anonymous Coward · · Score: 0

      It's the week of internet security breach articles!

      And it's only Monday.

  4. Bit offtopic but facebook defaults to http now by Anonymous Coward · · Score: 1

    A bit off topic but I noticed Facebook seems to have made everyone HTTP and not HTTPS by default now. Check your own. I had to go in and change my settings after a mate pointed it out that its now the norm. Can anyone tell me why HTTPS is not now the default standard? Given that a lot of data is now going via unsecured public wifi hotspots it seems like its only a matter of time before it becomes a commonly used hack.

    1. Re:Bit offtopic but facebook defaults to http now by mehrotra.akash · · Score: 2

      probably because most apps dont work with https

    2. Re:Bit offtopic but facebook defaults to http now by Anonymous Coward · · Score: 2, Informative

      HTTPS is not the default standard because it requires cryptographic overhead. Your Apache web server is throwing up a bazillion pages each minute, but now has to do the same task, but while individually negotiating a secure encrypted tunnel with each client being served. It SHOULD be the default standard, but most people don't know/care what an SSL certificate is, how to actually check if their connection is secure, etc.

    3. Re:Bit offtopic but facebook defaults to http now by Tim+C · · Score: 1

      Not so; a lot of apps aren't available over HTTP, and so when you use one you will be prompted to switch over to HTTP. You will then remain on HTTP for the remainder of your session.

      If you log out and in again, or log on in another browser (which for me logs me off the original session), you will be redirected back to HTTPS.

      This assumes that you have set up your account settings to default to HTTPS of course.

      --
      It's official. Most of you are morons.
    4. Re:Bit offtopic but facebook defaults to http now by speculatrix · · Score: 1

      https allows "reuse" and some savings in crypto overhead:
      http://en.wikipedia.org/wiki/Transport_Layer_Security#Resumed_TLS_handshake

      to make this work you need a "sticky" load balancer, which is trivial if you've a small web farm but if you've a large CDN it's not trivial.

  5. Newsworthy? by bradgoodman · · Score: 1, Insightful
    Every time someone hijacks an unsecured HTTP session by stealing a cookie - this is news?

    BULLETIN: Guy leaves keys in running, unlocked card - gets stolen. News at 11.

    1. Re:Newsworthy? by Anonymous Coward · · Score: 0

      I leave my card unlocked and running all the time. Now I know better!

  6. Yeah, no shit. by Anonymous Coward · · Score: 5, Insightful

    About a month ago my mom was asking me why she was able to add connections to MY LinkedIn profile. Obviously I'd logged in once on her computer and the cookie had been active ever since.

    I'd have less of a concern with it if the cookies didn't last so FUCKING long. In fact... you should only have one active login session at a time, unless they want to create the notion of a "trusted" computer whose login cookie lasts forever. But if I don't click "remember me on this computer", having the login cookie persist for long periods of time is just dumb.

    1. Re:Yeah, no shit. by Anonymous Coward · · Score: 0

      I never grant any website the ability to create cookies that aren't session cookies. Unfortunately, Firefox insists on asking me every time. I wish I could just make this the default behavior.

    2. Re:Yeah, no shit. by Anonymous Coward · · Score: 1

      There is log out link. Use it.

    3. Re:Yeah, no shit. by antdude · · Score: 2

      You should make another OS account and use it. :P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    4. Re:Yeah, no shit. by creat3d · · Score: 1

      Check out CookieSafe, a very handy add-on to have along with NoScript and AdBlock.

      --
      Grammar nazis are to this community what excrements are to gold.
  7. That a good analogy? by xMrFishx · · Score: 1

    I prefer: Manufacturer sells key-less cars, get stolen from customers. News at 6.

    1. Re:That a good analogy? by Surt · · Score: 1

      Manufacturer sells key-less cars, customers kidnapped and held for ransom!

      --
      "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
    2. Re:That a good analogy? by xMrFishx · · Score: 1

      Plus One, Improvement!

    3. Re:That a good analogy? by Kittenman · · Score: 1

      Ah... car analogies... I knew they'd be here somewhere.

      --
      "The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
  8. Re:LinkedIn is worthless by Anonymous Coward · · Score: 0

    Next IPO, breedersr.us, a social media darling to compare and comment on cock sizes.

  9. Re:LinkedIn is worthless by Archangel+Michael · · Score: 1

    (to the rhythm of Burma Shave)

    I have no skills
    I have no friends
    I don't have much on LinkedIn
    Haven't compared
    Epic Fail

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  10. Is there profit in LinkedIn hijacking? by vinn01 · · Score: 1

    No profit that I can think of. Granted, 13-year-olds don't need a profit motive to deface a rivals Facebook page. But in my adult world, I don't see the attraction to the risk/reward equation of a LinkedIn hijacking.

    1. hijack a LinkedIn account
    2. change the account information
    3. ????
    4. profit

    1. Re:Is there profit in LinkedIn hijacking? by matthew_t_west · · Score: 1

      Right?!??! What could one possibly gain besides ruining a profile page? It's not like there's payment info there.

      M

      --
      Browse at 1. You'll thank me later.
    2. Re:Is there profit in LinkedIn hijacking? by vlm · · Score: 3, Interesting

      But in my adult world, I don't see the attraction to the risk/reward equation of a LinkedIn hijacking.

      I can come up with a couple, identify theft scenarios and a couple outright theft scenarios. All basically just social engineering with greater odds of success because of massive inside info.

      "Hi HR droid, I'm vinn01, oh you saw my linkedin profile, cool, nice pic, huh? Well I need a copy of the form to add a medical insurance dependent faxed to me.. Uh huh, we named him something really trendy, Illegal Alien, yeah, what could go wrong with that?"

      "Hi, travel dept, I'm vinn01 over here in slashdot editing... yes you're right I DO work for Cmdr Taco as his personal valet, uh huh, so I was wondering if you could get me a rental car for that big trip to nowheresville I've been posting about on linkedin. uh huh, well, see, uh, I'm in a big hurry, running late, and I was wondering if you could leave the rental car keys at the new receptionist's desk, I'll pick them up on my way out."

      The you wanna really get creepy, you figure 1 in a 1000 "healthy young people" croak per year, and imagine you're unemployed and have all the time in the world... So you get a bunch of company sponsored life insurance beneficiaries for single people changed to your name, since they're single probably no one will even notice, as soon as one croaks in a car accident and you collect your check (described on the form as "domestic partner" I suppose) then buy your private island...

      Even just simple theft. Troll until you find a mark who matches your demographics, find the newest coworker IT guy, who probably doesn't know the mark, call around to figure out the mark has the day off, walk into the office, convince the IT guy to loan the mark (actually the crook posing as the mark) a new laptop, wander off with new laptop.

      Then too, you can gather info and sell it, even if its psuedo private. If we go back in time, someone at linked in has a new coworker devoted to IPO issues and they were probably hired before the IPO was publicly announced... Notice the Apple employee suddenly has a bunch of new coworkers with certain peculiar experience profiles indicating the near future release of unannounced groundbreaking product, the iLoo, certain to revolutionize plumbing, complete with an app store and a very glossy plunger...

      Crooks might be lazy, but at least they're sometimes creative.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    3. Re:Is there profit in LinkedIn hijacking? by Anonymous Coward · · Score: 1

      it's good for spear phishing... gain access to an account, tunnel along through connections and pass off malware/spyware/trojan's as a trusted friend..

      you can target people who have access to corporate and government systems to steal secrets, etc...

    4. Re:Is there profit in LinkedIn hijacking? by FooAtWFU · · Score: 1

      You don't think there's some vindictive asshole out there who wants to damage a professional rival's reputation and ability to conduct professional networking? Steal someone's login and send some quick messages to contacts and you could get them in *some* sort of uncomfortable situation, surely.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
  11. Re:LinkedIn is worthless by geekoid · · Score: 2

    Bullshit.

    Networking is the number 1 way to get employment. You skills only dictate the level of employment you get, and advancement.

    LinkedIn is just a way to network. It's another tool. The fact is, LinkedIn has a business plan, and a way to make money; which is a hell of a lot different then the boom in the late 90s. Which was 'Sell at a loss, make up for it in volume'

    LinkedIn is becoming one of the first places people check when they are thinking of hiring you.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  12. LinkedIn Is A Joke by Anonymous Coward · · Score: 0

    They can't even be configured to send non-HTMLized update emails anymore.

  13. I told you so by Anonymous Coward · · Score: 0

    I told the stupid bastards over a year ago the whole site should be protected by SSL, not just the signon. To have that kind of personal information floating around the net is unacceptable. The guy in customer service just gave me a blank stare via email. I haven't been back to the site since. Not surprised to read this today in slashdot.

    Have a nice day, you dopes! Get a clue and come back when you know how to run a secure website!

  14. does it matter? by Anonymous Coward · · Score: 0

    OHHHH NOO not my linked in account.. what ever will I do? Man I hate that site!

  15. Re:LinkedIn is worthless by Hazel+Bergeron · · Score: 0, Flamebait

    No, skill is the number one way to get employment. Level/advancement is part of getting employment - unless you're being obtuse and counting anything whatever which pays (and no-one at McDonalds reads your LinkedIn profile).

    If you do cool things in your field, you will gain a reputation which will put you in demand. If are not already heard of, you can show what you have done. Publish first, publish/perish, etc. Your CV will list your qualifications and provide pointers to any portfolio.

    The number 2 way is networking, which has some value in terms of trusting personal recommendations but is mainly just humans demonstrating the usual primate social behaviour and favouring their group for its own sake.

    And number 3 is poor substitutes for networking such as LinkedIn. So, it's like I said in my initial post - which will be angrily modded down because everyone with a LinkedIn profile is embarrassed to be a number 3.

    LinkedIn is becoming one of the first places people check when they are thinking of hiring you.

    Maybe the people you work with. Anyone who uses such masturbatory nonsense to judge you (or the person you claim to be, or the person someone else claims to be you) is going to be a terrible employer. It's even worse than people who use your Facebook profiles to judge you, because at least there's the small chance that the Facebook profile wasn't simply engineered to get you a better job than you're cut out for.

    LinkedIn is popular today because everyone's desperately seeking employment, perhaps preemptively. Desperation often results in irrational behaviour. The problem is that there's not enough work to go around because we're organised/sufficiently advanced such that we can get along just fine working fewer hours. We should be spreading the work around more evenly, not clamouring like whores for more pointless things to do. Go against a whole society's worth of divide-and-conquer indoctrination and consider a little less competition and a little more cooperation.

  16. Re:Waaah by al0ha · · Score: 1

    The /. site has the same problem as the one outlined in this story; so yeah I'd pretty much have to agree with that sentiment after having let them know a long time ago and still nothing has been done about it.

    Glad I don't pay for a subscription - hopefully at least there they require another token besides the one set when logging in in order to get to order and cc info; or better yet they don't save CC info.

    Even so, I rarely log in to /. as in my opinion this is totally lame regardless, no site should function this way.

    --
    Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
  17. Using Cookie by Culture20 · · Score: 1

    I bet I can use cookies to hijack accounts too. "A free chocolate chip cookie if you log in to example.com on this professional, secure kiosk here and do XYZ."

  18. Solution is simple by Anonymous Coward · · Score: 0

    Just set Firefox to delete all cookies when you exit. That's what I've done ever since I had the option.

  19. Re:LinkedIn is worthless by Anonymous Coward · · Score: 0

    No, they still check sites like Monster and Dice.

    Don't tell me I'm wrong I just did a job search a month ago, every call was because they got my resume from Dice or Monster, not because they saw my LinkedIn profile.

    But its not like some recruiters didn't ask to be added to my network, even though those recruiters didn't extend the job offer. They're still in the black hole, I've neither accepted them nor declined them.

    LinkedIn's whole business model is upselling basic account users and also convincing them to add apps to their profile. Oh yeah, and convincing them to remain visible by hiding who has viewed their profile. I e-mailed them once when I had no apps in my profile after just creating it, and the next login, I had an app auto-added to my profile.

    Now that I have a job, I'm thinking of getting rid of my LinkedIn profile. I guess I don't need to have hundreds of connections in my profile, I really don't need my profile at this time.

  20. Re:LinkedIn is worthless by Anonymous Coward · · Score: 0

    If you're still not happy with yourself, you use LinkedIn to compare cock size and actually check other people's profiles.

    No. That's chatroulette.

  21. Well done... by Anonymous Coward · · Score: 0

    Someone congratulate this n00b for uncovering something the rest of us have already known for years.