Several days after LinkedIn began trading under the symbol LNKD on the New York Stock Exchange (NYSE) news reports appears describing security problems that make it possible for hackers to break into users’ accounts without passwords.
LinkedIn shares more than doubled in it trading debut on Thursday, recalling the heady days of the dotcom 90’s.
The security vulnerability was found by Rish Narang and involves a “cookie” file named “Leo_Auth_Token” which LinkedIn’s program creates when a user logs into their account with their correct name and password. The “Leo_Auth_Token” is like a key that lets the user open their account.
Cookies are commonly used in this way but Naran, an independent researcher living near New Delhi, India, said the cookies LinkedIn uses are unusual because they expire one year after being created. Naran said most websites make their access token cookies expire when the user logs off, or in 24 hours.
Because the LinkedIn access token cookie does not expire for one year, anyone who has access to the computer with the cookie, can load the cookie on another computer and access the LinkedIn member’s account.