A security vulnerability has been found on networking site LinkedIn, days after the web site floated on the public markets.
The flaws enable hackers to break into user accounts without the need for passwords, according to Rishi Narang, the security researcher who identified the problem.
"There exist multiple vulnerabilities in LinkedIn in [the way in] which it handles the cookies and transmits them over SSL," Narang wrote in his blog.
"This vulnerability, if exploited, can result in the hijacking of user accounts and/or modifying the user information without the consent of the profile owner."
He explained that there are two vulnerabilities in the way that the site stores cookies on users' PCs: first, the cookie for an authenticated session is available in plain text over an unencrypted channel of communication; and second, it is available for too long – up to a year.
The news comes as the UK government prepares to implement EU regulations forcing online firms to request explicit consent of users to install cookies on their PCs.
However, guidelines on compliance with EU law from the Information Commissioner's Office have been poorly received by the industry, and labelled as "onerous" and "too late" by leading figures.
The social networking site for professionals is the latest high-profile organisation to have its security vulnerabilities exposed recently.
Sony has had to take the PlayStation Network down for a third time as it leaked the personal – and in some cases financial – details of more than 100,000 customers following a cyber attack.
Meanwhile, password-management firm LastPass recently suffered a vulnerability that allowed the collection of registered email addresses from its site.
Being confusing is a tradition at the ICO. They speak at endless seminars, giving guidance on the Data Protection Act and what is and what is not legal. It seems black and white, however the reality when you check with a specialist lawyer is a uniform dirty grey. Get proper advice from someone qualified.
This latest change will be more of the same. And its bizarre - users want cookies. We want pages to load quickly, we like not having to log in every time we visit registration websites and not having to remember countless passwords. Even, and perhaps especially for our banks. We like it when iPlayer recommends programmes based on our previous usage. And we are a long way from convinced that aggregating data really is bad for our privacy - seems like the worst that can happen is that we get better targeted advertising. I'm all for it. I hate advertising at the best of times so if it can be made marginally less irritating that's a good thing.
These regulations are European red tape. They offer no protection to consumers of value and they help no industry except the compliance industry.
Posted by: Lord Gaga 23 May 2011
Have your say on this article
Newsletters
Latest stories from Security
Latest videos
You may also like
Security jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
