Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Hijacks LinkedIn Profiles Using Cookie

Posted by Unknown on from the xeroxing-your-business-cards dept.

mask.of.sanity writes "A security researcher has demonstrated holes in the way cookies are handled on LinkedIn profiles by hijacking profiles. The session cookies are sent over unsecured HTTP and remain active for up to a year."

10 of 49 comments (clear)

  1. Firesheep? by Robadob · · Score: 3, Interesting

    "The session cookies are sent over unsecured HTTP" Isn't this basically the same as the way the firefox addon firesheep worked?

    1. Re:Firesheep? by TooMuchToDo · · Score: 2

      Yes: http://en.wikipedia.org/wiki/Firesheep

  2. Session Cookies by Oxford_Comma_Lover · · Score: 3

    Meh. Most session cookies are sent over unsecured HTTP. The only reason this is coming up is the linkedin IPO.

    --
    -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
    1. Re:Session Cookies by GP1911 · · Score: 2

      The session will still be valid on the server after the user closes their browser. There's no way for it to know when a user ends their browsing session. And someone capturing the session cookie could just use it immediately to keep the session active as well.

  3. Re:Bit offtopic but facebook defaults to http now by mehrotra.akash · · Score: 2

    probably because most apps dont work with https

  4. Yeah, no shit. by Anonymous Coward · · Score: 5, Insightful

    About a month ago my mom was asking me why she was able to add connections to MY LinkedIn profile. Obviously I'd logged in once on her computer and the cookie had been active ever since.

    I'd have less of a concern with it if the cookies didn't last so FUCKING long. In fact... you should only have one active login session at a time, unless they want to create the notion of a "trusted" computer whose login cookie lasts forever. But if I don't click "remember me on this computer", having the login cookie persist for long periods of time is just dumb.

    1. Re:Yeah, no shit. by antdude · · Score: 2

      You should make another OS account and use it. :P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  5. Re:LinkedIn is worthless by geekoid · · Score: 2

    Bullshit.

    Networking is the number 1 way to get employment. You skills only dictate the level of employment you get, and advancement.

    LinkedIn is just a way to network. It's another tool. The fact is, LinkedIn has a business plan, and a way to make money; which is a hell of a lot different then the boom in the late 90s. Which was 'Sell at a loss, make up for it in volume'

    LinkedIn is becoming one of the first places people check when they are thinking of hiring you.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  6. Re:Is there profit in LinkedIn hijacking? by vlm · · Score: 3, Interesting

    But in my adult world, I don't see the attraction to the risk/reward equation of a LinkedIn hijacking.

    I can come up with a couple, identify theft scenarios and a couple outright theft scenarios. All basically just social engineering with greater odds of success because of massive inside info.

    "Hi HR droid, I'm vinn01, oh you saw my linkedin profile, cool, nice pic, huh? Well I need a copy of the form to add a medical insurance dependent faxed to me.. Uh huh, we named him something really trendy, Illegal Alien, yeah, what could go wrong with that?"

    "Hi, travel dept, I'm vinn01 over here in slashdot editing... yes you're right I DO work for Cmdr Taco as his personal valet, uh huh, so I was wondering if you could get me a rental car for that big trip to nowheresville I've been posting about on linkedin. uh huh, well, see, uh, I'm in a big hurry, running late, and I was wondering if you could leave the rental car keys at the new receptionist's desk, I'll pick them up on my way out."

    The you wanna really get creepy, you figure 1 in a 1000 "healthy young people" croak per year, and imagine you're unemployed and have all the time in the world... So you get a bunch of company sponsored life insurance beneficiaries for single people changed to your name, since they're single probably no one will even notice, as soon as one croaks in a car accident and you collect your check (described on the form as "domestic partner" I suppose) then buy your private island...

    Even just simple theft. Troll until you find a mark who matches your demographics, find the newest coworker IT guy, who probably doesn't know the mark, call around to figure out the mark has the day off, walk into the office, convince the IT guy to loan the mark (actually the crook posing as the mark) a new laptop, wander off with new laptop.

    Then too, you can gather info and sell it, even if its psuedo private. If we go back in time, someone at linked in has a new coworker devoted to IPO issues and they were probably hired before the IPO was publicly announced... Notice the Apple employee suddenly has a bunch of new coworkers with certain peculiar experience profiles indicating the near future release of unannounced groundbreaking product, the iLoo, certain to revolutionize plumbing, complete with an app store and a very glossy plunger...

    Crooks might be lazy, but at least they're sometimes creative.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  7. Re:Bit offtopic but facebook defaults to http now by Anonymous Coward · · Score: 2, Informative

    HTTPS is not the default standard because it requires cryptographic overhead. Your Apache web server is throwing up a bazillion pages each minute, but now has to do the same task, but while individually negotiating a secure encrypted tunnel with each client being served. It SHOULD be the default standard, but most people don't know/care what an SSL certificate is, how to actually check if their connection is secure, etc.