Latest MITM Attack Underscores the Need for Always-On SSL
Yesterday, an independent researcher claimed in his blog to have successfully exploited vulnerabilities in the way LinkedIn handles and transmits cookies over SSL (see blog at http://www.wtfuzz.com/blogs/linkedin-ssl-cookie-vulnerability). According to the blog, one of the problems is the availability of cookies sent in plain text over unencrypted channels of communication, which is due to SSL cookies not having a secure flag set, as well as appearing to contain session tokens.
"An attacker may be able to perform a man in the middle (MITM) attack, and thus capture these cookies from an established Linkedin session." said the researcher.
This type of attack is similar to how Firesheep, a Firefox plug-in that was released in October 2010, enabled hackers to hijack information from other users on the same unsecured Wi-Fi. The most notable attack was the successful hijacking of Ashton Kutcher’s Twitter account.
In response to the issue, a LinkedIn offered the following comment to the Register.com: http://www.theregister.co.uk/2011/05/24/linkedin_cookie_vuln/
“Whether you are on LinkedIn or any other site, it’s always a good idea to choose trusted and encrypted wifi networks or VPNs whenever possible. If one isn't available, we already support SSL for logins and other sensitive web pages. Now, we are accelerating our existing plans to extend that SSL support across the entire site on an opt-in basis. And, we are going to reduce the lifespan of the cookies in question from 12 months to 90 days. LinkedIn takes the privacy and security of our members seriously, while also looking to deliver a great site experience, and we believe these two changes will allow us to strike that balance.”
With that statement, LinkedIn is poised to join other popular social network websites including Facebook, Twitter and FourSquare to protect users from MITM attacks with SSL support for its site.
That’s big news for LinkedIn users.