LinkedIn: The next security breach?

May 23, 2011

If we weren’t already reeling from security breaches at Sony or marketing company Epsilon (which sends millions of emails on behalf of huge companies), word now is that those of us on LinkedIn have to worry, too.

This time the issue’s different, though. No band of nameless, faceless criminals stealing our identities. No credit card numbers slipping into the hands of crooks. It’s mostly about the cookies.

In its zeal to make LinkedIn easier for users so they don’t have to log in over and over again, LinkedIn created cookies (lingering Web browser files) that stick around for a year. That’s a long time in the web world.

By comparison, a bank might let you store a cookie for 10 minutes before you’re logged out due to inactivity. Yahoo will give you two weeks. (LinkedIn just announced that in reaction to the news they will shorten the lifespan of their cookies to 90 days.)

It’s not just about the duration. It’s that the little collection of code carries your sign-in information and that can be snatched by anyone so inclined to do so — not just by using a computer you were on but through some nasty software designed to go out and snag that sort of information when you’re using public WiFi or some other unsecure network.

So, what’s at stake here? You could risk being a target of a malicious attack, and since LinkedIn for many folks is essentially their resume, that can be scary. A crook could also snag your list of email addresses and pose as you.

Again, different from the other situations, this news didn’t emerge from a known theft but rather from a security expert finding the flaw and publicizing it — an action that, hopefully, will result in fewer of us getting attacked.

“With LinkedIn, the purpose of the cookie is mainly for convenience. Sometimes these conveniences pose security risks,” says Robert Siciliano CEO of IDTheftSecurity.com. “If the research is in fact true, LinkedIn needs to scale back on the time it allows for the cookie to maintain data and provide quick logins. They need to make sure an old cookie doesn’t provide logins with a new password.”

Paul Stephens, director of policy and advocacy for the  Privacy Rights Clearinghouse, said there are steps users can take to protect their information. He suggests users delete all cookies after completion of a session and to avoid using public or unsecure WiFi until these matters are resolved.

Linked In acknowledged the problem and said it is working on allowing users to extend their use of SSL (secure socket layers) so their information remains encrypted.

The company issued this statement Monday afternoon:

“Whether you are on LinkedIn or any other site, it’s always a good idea to choose trusted and encrypted WiFi networks or VPNs whenever possible. If one isn’t available, we already support SSL for logins and other sensitive web pages. Now, we are accelerating our existing plans to extend that SSL support across the entire site on an opt-in basis. And, we are going to reduce the lifespan of the cookies in question from 12 months to 90 days. LinkedIn takes the privacy and security of our members seriously, while also looking to deliver a great site experience, and we believe these two changes will allow us to strike that balance.”

The bottom line: No need for panic. Delete your cookies when you’re done with a session and avoid public access if you’re concerned about your privacy.

Comments

‘linkedIn’ is breaching security by accessing information from earlier email correspondence files on member’s personal P.C.’s. After joining the network, using a limited profile, contact names were suggested to me. These names were all known to me but in no way associated with my profile (or theirs). One was a sports colleague with whom I have had regular correspondence, one was someone with whom I have had no direct correspondence, but our email addresses had been included in general emails between members of another group (totally unconnected with either profile). A third one was a purely private and personal, occasional contact, again unassociated with either of our submitted profiles.

Posted by TonyJosolyne | Report as abusive
 

Post Your Comment

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/