LinkedIn: The next security breach?
If we weren’t already reeling from security breaches at Sony or marketing company Epsilon (which sends millions of emails on behalf of huge companies), word now is that those of us on LinkedIn have to worry, too.
This time the issue’s different, though. No band of nameless, faceless criminals stealing our identities. No credit card numbers slipping into the hands of crooks. It’s mostly about the cookies.
In its zeal to make LinkedIn easier for users so they don’t have to log in over and over again, LinkedIn created cookies (lingering Web browser files) that stick around for a year. That’s a long time in the web world.
By comparison, a bank might let you store a cookie for 10 minutes before you’re logged out due to inactivity. Yahoo will give you two weeks. (LinkedIn just announced that in reaction to the news they will shorten the lifespan of their cookies to 90 days.)
It’s not just about the duration. It’s that the little collection of code carries your sign-in information and that can be snatched by anyone so inclined to do so — not just by using a computer you were on but through some nasty software designed to go out and snag that sort of information when you’re using public WiFi or some other unsecure network.
So, what’s at stake here? You could risk being a target of a malicious attack, and since LinkedIn for many folks is essentially their resume, that can be scary. A crook could also snag your list of email addresses and pose as you.
Again, different from the other situations, this news didn’t emerge from a known theft but rather from a security expert finding the flaw and publicizing it — an action that, hopefully, will result in fewer of us getting attacked.
“With LinkedIn, the purpose of the cookie is mainly for convenience. Sometimes these conveniences pose security risks,” says Robert Siciliano CEO of IDTheftSecurity.com. “If the research is in fact true, LinkedIn needs to scale back on the time it allows for the cookie to maintain data and provide quick logins. They need to make sure an old cookie doesn’t provide logins with a new password.”
Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, said there are steps users can take to protect their information. He suggests users delete all cookies after completion of a session and to avoid using public or unsecure WiFi until these matters are resolved.
Linked In acknowledged the problem and said it is working on allowing users to extend their use of SSL (secure socket layers) so their information remains encrypted.
The company issued this statement Monday afternoon:
“Whether you are on LinkedIn or any other site, it’s always a good idea to choose trusted and encrypted WiFi networks or VPNs whenever possible. If one isn’t available, we already support SSL for logins and other sensitive web pages. Now, we are accelerating our existing plans to extend that SSL support across the entire site on an opt-in basis. And, we are going to reduce the lifespan of the cookies in question from 12 months to 90 days. LinkedIn takes the privacy and security of our members seriously, while also looking to deliver a great site experience, and we believe these two changes will allow us to strike that balance.”
The bottom line: No need for panic. Delete your cookies when you’re done with a session and avoid public access if you’re concerned about your privacy.