Monday, May 23, 2011

LinkedIn Cookie/Session Vulnerability

Well it isn't *really* a vulnerability as much as it is a design / architectual flaw.  When you visit a website that uses cookies, the cookie set when you login.  When the cookie becomes set there is usually a time value associated with the cookie representing how long the cookie is valid for (which is essentially how long it will be until you need to re-authenticate to the site).  Usually you will see a cookie set to expire 24 - 48 hours after it is set.  Some sites like Google allow you to keep your cookie valid for a period of 30 days so you won't have to login every single time.  Banks on the other hand usually only allow for a few hours with a 10 - 15 minute timeout of inactivity.  Given all this what really is the problem with LinkedIn then?  Well a cookie that has not yet expired can be used to authenticate to a site, possibly without knowing the username or password of the user.  The question now remains, "how is LinkedIn Vulnerable then"?

I'm sure many of you are now looking up your LinkedIn cookie in the browser and reviewing some other cookies for other sites too.  You may have noticed that many other sites don't expire their cookies for a year either.  The issue here isn't that the cookie doesn't expire for a year; it's that the what is contained in the cooke doesn't expire for a year.  For example here is what you might see:



Notice that the auth cookie is valid for one year.  Normally this wouldn't be an issue because the web application should still expire the session and force a new login when an "old" cookie is pushed up to the server during login.  With LinkedIn this isn't the case.  Even if you change your password and/or logout...the "old" cookie is still considered valid and can be used to replay the session.  If you copy the Content section of this cookie, then login/logout of LinkedIn, the value of content should change.  Just paste back in the original value and the cookie should still work no problem.

This is actually a simple fix on LinkedIn's side in that they should not allow "old" cookies to be used after the session is expired or timed out.  Hopefully they will update this soon, but in the meantime you can delete your cookie after visiting the site or ensure that no one steals your cookie until they perform an update.



Disclaimer: Rishi Narang is the person who discovered this vulnerability in LinkedIn's site.  This post is just an explanation of the issue.
Posted by at
Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)