Thursday, May 26, 2011

Indian IT expert accuses LinkedIn of slack security

By Ankita Mishra

New Delhi- 
India based IT expert Rishi Narang has accused social networking site LinkedIn on charges of slack security. According to the reports, Narang has discovered two cookie managing problems.

Cookies are available at the termination of authenticated sessions and an SSL cookie is being utilized without its secure flag set.
Session expiration is indeed a serious issue. As the cookies stay on the machine, post termination of a session a malicious user may use somebody else’s cookies in order to restore a connection to their account.
Narang discovered this flaw at a time, when the cookies were kept on for more than a year rather than being deleted post termination of a particular session.
He also added that a cookie can expire only if a user changes their LinkedIn password, logs in and logs out with a new password.
In the mean time, LinkedIn officials declined to respond to Narang’s critique of the company’s use of a cookie with a one-year expiration.


No comments:

Post a Comment