Security vulnerabilities found in LinkedIn

A security researcher has found flaws in the way social networking site stores cookies

A security vulnerability has been found on networking site LinkedIn, days after the web site floated on the public markets.

The flaws enable hackers to break into user accounts without the need for passwords, according to Rishi Narang, the security researcher who identified the problem.

"There exist multiple vulnerabilities in LinkedIn in [the way in] which it handles the cookies and transmits them over SSL," Narang wrote in his blog.

"This vulnerability, if exploited, can result in the hijacking of user accounts and/or modifying the user information without the consent of the profile owner."

He explained that there are two vulnerabilities in the way that the site stores cookies on users' PCs: first, the cookie for an authenticated session is available in plain text over an unencrypted channel of communication; and second, it is available for too long – up to a year.

The news comes as the UK government prepares to implement EU regulations forcing online firms to request explicit consent of users to install cookies on their PCs.

However, guidelines on compliance with EU law from the Information Commissioner's Office have been poorly received by the industry, and labelled as "onerous" and "too late" by leading figures.

The social networking site for professionals is the latest high-profile organisation to have its security vulnerabilities exposed recently.

Sony has had to take the PlayStation Network down for a third time as it leaked the personal – and in some cases financial – details of more than 100,000 customers following a cyber attack.

Meanwhile, password-management firm LastPass recently suffered a vulnerability that allowed the collection of registered email addresses from its site.