Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researcher Hijacks LinkedIn Profiles Using Cookie

Unknown Lamer posted more than 3 years ago | from the xeroxing-your-business-cards dept.

Security 49

mask.of.sanity writes "A security researcher has demonstrated holes in the way cookies are handled on LinkedIn profiles by hijacking profiles. The session cookies are sent over unsecured HTTP and remain active for up to a year."

cancel ×

49 comments

Sorry! There are no comments related to the filter you selected.

Waaah (-1)

Anonymous Coward | more than 3 years ago | (#36221590)

Fuck you slashdot.

Re:Waaah (1)

al0ha (1262684) | more than 3 years ago | (#36222584)

The /. site has the same problem as the one outlined in this story; so yeah I'd pretty much have to agree with that sentiment after having let them know a long time ago and still nothing has been done about it.

Glad I don't pay for a subscription - hopefully at least there they require another token besides the one set when logging in in order to get to order and cc info; or better yet they don't save CC info.

Even so, I rarely log in to /. as in my opinion this is totally lame regardless, no site should function this way.

Firesheep? (3, Interesting)

Robadob (1800074) | more than 3 years ago | (#36221634)

"The session cookies are sent over unsecured HTTP" Isn't this basically the same as the way the firefox addon firesheep worked?

Re:Firesheep? (1)

coolsnowmen (695297) | more than 3 years ago | (#36222030)

Yes, in fact the guy who wrote fire sheep did it to shine light on how ubiquitous the problem was. That it doesn't do much good to have a secure authentication, if the trusted session cookie is sent in the clear. I think a technical term for this is called "sidejacking."

Re:Firesheep? (1)

IAmGarethAdams (990037) | more than 3 years ago | (#36223532)

It closes the hole where the unencrypted *password* can be discovered, leading to not only that one session being compromised, but other sessions being compromisable too.

It's not *perfectly* good to only encrypt the login request, but it's certainly a lot better than "not much good". Security is all about layers, remember. Like an onion.

Session Cookies (3)

Oxford_Comma_Lover (1679530) | more than 3 years ago | (#36221656)

Meh. Most session cookies are sent over unsecured HTTP. The only reason this is coming up is the linkedin IPO.

Re:Session Cookies (0)

Anonymous Coward | more than 3 years ago | (#36221832)

Presumably this also requires the (l)user to send 3rd party cookies.

Re:Session Cookies (0)

Anonymous Coward | more than 3 years ago | (#36221948)

Session-only cookies (wrt to the browser process, not the login) are the solution. So the one year lifetime only applies if you never exit your browser in that time. Don't know about you but my world changes more than that. :)

Re:Session Cookies (1)

nedlohs (1335013) | more than 3 years ago | (#36222000)

That you exit your browser is completely irrelevant to the person who has a copy of the cookie you sent in the clear already.

Re:Session Cookies (2)

GP1911 (1439907) | more than 3 years ago | (#36222056)

The session will still be valid on the server after the user closes their browser. There's no way for it to know when a user ends their browsing session. And someone capturing the session cookie could just use it immediately to keep the session active as well.

Re:Session Cookies (0)

Anonymous Coward | more than 3 years ago | (#36222710)

Your solution sucks and has exploits. Please do not work on anything IT related for a while. Thank you.

Again (1)

zanian (1621285) | more than 3 years ago | (#36221666)

It's the week of internet security breach articles!

Re:Again (0)

Anonymous Coward | more than 3 years ago | (#36221752)

It's the week of internet security breach articles!

And it's only Monday.

Bit offtopic but facebook defaults to http now (1)

Anonymous Coward | more than 3 years ago | (#36221670)

A bit off topic but I noticed Facebook seems to have made everyone HTTP and not HTTPS by default now. Check your own. I had to go in and change my settings after a mate pointed it out that its now the norm. Can anyone tell me why HTTPS is not now the default standard? Given that a lot of data is now going via unsecured public wifi hotspots it seems like its only a matter of time before it becomes a commonly used hack.

Re:Bit offtopic but facebook defaults to http now (2)

mehrotra.akash (1539473) | more than 3 years ago | (#36221714)

probably because most apps dont work with https

Re:Bit offtopic but facebook defaults to http now (2, Informative)

Anonymous Coward | more than 3 years ago | (#36223716)

HTTPS is not the default standard because it requires cryptographic overhead. Your Apache web server is throwing up a bazillion pages each minute, but now has to do the same task, but while individually negotiating a secure encrypted tunnel with each client being served. It SHOULD be the default standard, but most people don't know/care what an SSL certificate is, how to actually check if their connection is secure, etc.

Re:Bit offtopic but facebook defaults to http now (1)

speculatrix (678524) | more than 3 years ago | (#36226826)

https allows "reuse" and some savings in crypto overhead:
http://en.wikipedia.org/wiki/Transport_Layer_Security#Resumed_TLS_handshake [wikipedia.org]

to make this work you need a "sticky" load balancer, which is trivial if you've a small web farm but if you've a large CDN it's not trivial.

Re:Bit offtopic but facebook defaults to http now (1)

Tim C (15259) | more than 3 years ago | (#36226192)

Not so; a lot of apps aren't available over HTTP, and so when you use one you will be prompted to switch over to HTTP. You will then remain on HTTP for the remainder of your session.

If you log out and in again, or log on in another browser (which for me logs me off the original session), you will be redirected back to HTTPS.

This assumes that you have set up your account settings to default to HTTPS of course.

Newsworthy? (1, Insightful)

bradgoodman (964302) | more than 3 years ago | (#36221744)

Every time someone hijacks an unsecured HTTP session by stealing a cookie - this is news?

BULLETIN: Guy leaves keys in running, unlocked card - gets stolen. News at 11.

That a good analogy? (1)

xMrFishx (1956084) | more than 3 years ago | (#36221862)

I prefer: Manufacturer sells key-less cars, get stolen from customers. News at 6.

Re:That a good analogy? (1)

Surt (22457) | more than 3 years ago | (#36221950)

Manufacturer sells key-less cars, customers kidnapped and held for ransom!

Re:That a good analogy? (1)

xMrFishx (1956084) | more than 3 years ago | (#36222054)

Plus One, Improvement!

Re:That a good analogy? (1)

Kittenman (971447) | more than 3 years ago | (#36222242)

Ah... car analogies... I knew they'd be here somewhere.

Re:Newsworthy? (0)

Anonymous Coward | more than 3 years ago | (#36221864)

I leave my card unlocked and running all the time. Now I know better!

Pawlenty formally launches White House bid (-1)

Anonymous Coward | more than 3 years ago | (#36221748)

Ex-Minnesota Gov. Tim Pawlenty formally launched his campaign for the White House on Monday by striking out at President Barack Obama’s policies and federal spending, while vowing changes to politically explosive programs like Social Security.

“The hard truth is that there are no longer any sacred programs,” Pawlenty said in Des Moines, Iowa. In a speech overlooking Iowa’s state capitol building, the Republican candidate said federal spending needs to be cut “big time.”

Pawlenty, currently drawing only single-digit support in polls, goes to New York and Florida this week with a smaller-government message as his campaign revs up.

“I’m going to New York City to tell Wall Street that if I’m elected, the era of bailouts and handouts for big banks is over,” Pawlenty wrote Monday in USA Today, before speaking in Des Moines. “I’m going to Florida to tell both young people and seniors that our entitlement programs are on an unsustainable path and have to be changed,” Pawlenty wrote.

Yeah, no shit. (5, Insightful)

Anonymous Coward | more than 3 years ago | (#36221776)

About a month ago my mom was asking me why she was able to add connections to MY LinkedIn profile. Obviously I'd logged in once on her computer and the cookie had been active ever since.

I'd have less of a concern with it if the cookies didn't last so FUCKING long. In fact... you should only have one active login session at a time, unless they want to create the notion of a "trusted" computer whose login cookie lasts forever. But if I don't click "remember me on this computer", having the login cookie persist for long periods of time is just dumb.

Re:Yeah, no shit. (0)

Anonymous Coward | more than 3 years ago | (#36222388)

I never grant any website the ability to create cookies that aren't session cookies. Unfortunately, Firefox insists on asking me every time. I wish I could just make this the default behavior.

Re:Yeah, no shit. (2)

creat3d (1489345) | more than 3 years ago | (#36224576)

Check out CookieSafe, a very handy add-on to have along with NoScript and AdBlock.

Re:Yeah, no shit. (1)

Anonymous Coward | more than 3 years ago | (#36223488)

There is log out link. Use it.

Re:Yeah, no shit. (2)

antdude (79039) | more than 3 years ago | (#36223782)

You should make another OS account and use it. :P

LinkedIn is worthless (-1, Flamebait)

Hazel Bergeron (2015538) | more than 3 years ago | (#36221824)

If you want to work for someone and do a good job, you demonstrate skill.

If your skill is insufficient, you network and gain favours from "friends".

If you fail at socialising, you post your profile on LinkedIn.

If you're still not happy with yourself, you use LinkedIn to compare cock size and actually check other people's profiles.

Re:LinkedIn is worthless (0)

Anonymous Coward | more than 3 years ago | (#36221874)

Next IPO, breedersr.us, a social media darling to compare and comment on cock sizes.

Re:LinkedIn is worthless (1)

Archangel Michael (180766) | more than 3 years ago | (#36221894)

(to the rhythm of Burma Shave)

I have no skills
I have no friends
I don't have much on LinkedIn
Haven't compared
Epic Fail

Re:LinkedIn is worthless (2)

geekoid (135745) | more than 3 years ago | (#36221932)

Bullshit.

Networking is the number 1 way to get employment. You skills only dictate the level of employment you get, and advancement.

LinkedIn is just a way to network. It's another tool. The fact is, LinkedIn has a business plan, and a way to make money; which is a hell of a lot different then the boom in the late 90s. Which was 'Sell at a loss, make up for it in volume'

LinkedIn is becoming one of the first places people check when they are thinking of hiring you.

Re:LinkedIn is worthless (0, Flamebait)

Hazel Bergeron (2015538) | more than 3 years ago | (#36222504)

No, skill is the number one way to get employment. Level/advancement is part of getting employment - unless you're being obtuse and counting anything whatever which pays (and no-one at McDonalds reads your LinkedIn profile).

If you do cool things in your field, you will gain a reputation which will put you in demand. If are not already heard of, you can show what you have done. Publish first, publish/perish, etc. Your CV will list your qualifications and provide pointers to any portfolio.

The number 2 way is networking, which has some value in terms of trusting personal recommendations but is mainly just humans demonstrating the usual primate social behaviour and favouring their group for its own sake.

And number 3 is poor substitutes for networking such as LinkedIn. So, it's like I said in my initial post - which will be angrily modded down because everyone with a LinkedIn profile is embarrassed to be a number 3.

LinkedIn is becoming one of the first places people check when they are thinking of hiring you.

Maybe the people you work with. Anyone who uses such masturbatory nonsense to judge you (or the person you claim to be, or the person someone else claims to be you) is going to be a terrible employer. It's even worse than people who use your Facebook profiles to judge you, because at least there's the small chance that the Facebook profile wasn't simply engineered to get you a better job than you're cut out for.

LinkedIn is popular today because everyone's desperately seeking employment, perhaps preemptively. Desperation often results in irrational behaviour. The problem is that there's not enough work to go around because we're organised/sufficiently advanced such that we can get along just fine working fewer hours. We should be spreading the work around more evenly, not clamouring like whores for more pointless things to do. Go against a whole society's worth of divide-and-conquer indoctrination and consider a little less competition and a little more cooperation.

Re:LinkedIn is worthless (0)

Anonymous Coward | more than 3 years ago | (#36226874)

No, they still check sites like Monster and Dice.

Don't tell me I'm wrong I just did a job search a month ago, every call was because they got my resume from Dice or Monster, not because they saw my LinkedIn profile.

But its not like some recruiters didn't ask to be added to my network, even though those recruiters didn't extend the job offer. They're still in the black hole, I've neither accepted them nor declined them.

LinkedIn's whole business model is upselling basic account users and also convincing them to add apps to their profile. Oh yeah, and convincing them to remain visible by hiding who has viewed their profile. I e-mailed them once when I had no apps in my profile after just creating it, and the next login, I had an app auto-added to my profile.

Now that I have a job, I'm thinking of getting rid of my LinkedIn profile. I guess I don't need to have hundreds of connections in my profile, I really don't need my profile at this time.

Re:LinkedIn is worthless (0)

Anonymous Coward | more than 3 years ago | (#36226884)

If you're still not happy with yourself, you use LinkedIn to compare cock size and actually check other people's profiles.

No. That's chatroulette.

Is there profit in LinkedIn hijacking? (1)

vinn01 (178295) | more than 3 years ago | (#36221914)

No profit that I can think of. Granted, 13-year-olds don't need a profit motive to deface a rivals Facebook page. But in my adult world, I don't see the attraction to the risk/reward equation of a LinkedIn hijacking.

1. hijack a LinkedIn account
2. change the account information
3. ????
4. profit

Re:Is there profit in LinkedIn hijacking? (1)

matthew_t_west (800388) | more than 3 years ago | (#36221956)

Right?!??! What could one possibly gain besides ruining a profile page? It's not like there's payment info there.

M

Re:Is there profit in LinkedIn hijacking? (3, Interesting)

vlm (69642) | more than 3 years ago | (#36222212)

But in my adult world, I don't see the attraction to the risk/reward equation of a LinkedIn hijacking.

I can come up with a couple, identify theft scenarios and a couple outright theft scenarios. All basically just social engineering with greater odds of success because of massive inside info.

"Hi HR droid, I'm vinn01, oh you saw my linkedin profile, cool, nice pic, huh? Well I need a copy of the form to add a medical insurance dependent faxed to me.. Uh huh, we named him something really trendy, Illegal Alien, yeah, what could go wrong with that?"

"Hi, travel dept, I'm vinn01 over here in slashdot editing... yes you're right I DO work for Cmdr Taco as his personal valet, uh huh, so I was wondering if you could get me a rental car for that big trip to nowheresville I've been posting about on linkedin. uh huh, well, see, uh, I'm in a big hurry, running late, and I was wondering if you could leave the rental car keys at the new receptionist's desk, I'll pick them up on my way out."

The you wanna really get creepy, you figure 1 in a 1000 "healthy young people" croak per year, and imagine you're unemployed and have all the time in the world... So you get a bunch of company sponsored life insurance beneficiaries for single people changed to your name, since they're single probably no one will even notice, as soon as one croaks in a car accident and you collect your check (described on the form as "domestic partner" I suppose) then buy your private island...

Even just simple theft. Troll until you find a mark who matches your demographics, find the newest coworker IT guy, who probably doesn't know the mark, call around to figure out the mark has the day off, walk into the office, convince the IT guy to loan the mark (actually the crook posing as the mark) a new laptop, wander off with new laptop.

Then too, you can gather info and sell it, even if its psuedo private. If we go back in time, someone at linked in has a new coworker devoted to IPO issues and they were probably hired before the IPO was publicly announced... Notice the Apple employee suddenly has a bunch of new coworkers with certain peculiar experience profiles indicating the near future release of unannounced groundbreaking product, the iLoo, certain to revolutionize plumbing, complete with an app store and a very glossy plunger...

Crooks might be lazy, but at least they're sometimes creative.

Re:Is there profit in LinkedIn hijacking? (1)

Anonymous Coward | more than 3 years ago | (#36224186)

it's good for spear phishing... gain access to an account, tunnel along through connections and pass off malware/spyware/trojan's as a trusted friend..

you can target people who have access to corporate and government systems to steal secrets, etc...

Re:Is there profit in LinkedIn hijacking? (1)

FooAtWFU (699187) | more than 3 years ago | (#36224246)

You don't think there's some vindictive asshole out there who wants to damage a professional rival's reputation and ability to conduct professional networking? Steal someone's login and send some quick messages to contacts and you could get them in *some* sort of uncomfortable situation, surely.

LinkedIn Is A Joke (0)

Anonymous Coward | more than 3 years ago | (#36222460)

They can't even be configured to send non-HTMLized update emails anymore.

I told you so (0)

Anonymous Coward | more than 3 years ago | (#36222472)

I told the stupid bastards over a year ago the whole site should be protected by SSL, not just the signon. To have that kind of personal information floating around the net is unacceptable. The guy in customer service just gave me a blank stare via email. I haven't been back to the site since. Not surprised to read this today in slashdot.

Have a nice day, you dopes! Get a clue and come back when you know how to run a secure website!

does it matter? (0)

Anonymous Coward | more than 3 years ago | (#36222498)

OHHHH NOO not my linked in account.. what ever will I do? Man I hate that site!

Using Cookie (1)

Culture20 (968837) | more than 3 years ago | (#36223156)

I bet I can use cookies to hijack accounts too. "A free chocolate chip cookie if you log in to example.com on this professional, secure kiosk here and do XYZ."

Solution is simple (0)

Anonymous Coward | more than 3 years ago | (#36226632)

Just set Firefox to delete all cookies when you exit. That's what I've done ever since I had the option.

Well done... (0)

Anonymous Coward | more than 3 years ago | (#36228576)

Someone congratulate this n00b for uncovering something the rest of us have already known for years.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?