During a demonstration at the Microsoft Tech Days 2012 in Eigenbrakel a 'famous' Microsoft white hacker demonstrated how easy it was to capture a LinkedIn password over a secure HTTPS connection.
She was using Fiddler, an intermediate proxy. The hacker added the Fiddler self-signed certificate to the list of trusted root certificates. Now she was pretending that the username and the password were not transferred in a secure way because she intercepted it in clear text with her 'magic' tool?!? I think she definitely needs to review some basics of PKI or Public Key Infrastructure... A shame for Microsoft :)
The GOOD news... there are no issues at all with the login procedure in LinkedIn! The credentials are transferred over a secure HTTPS connection. However capturing those credentials is still possible when using intermediate proxies or firewalls with a HTTPS inspection function. That's not a LinkedIn problem, that 's just how PKI works.
The BAD news... LinkedIn is not using HTTPS for every transaction. It is really easy to hijack a LinkedIn session!
To demonstrate the issue, I created a LinkedIn test account User1.
User1 is a legitimate user and has a valid LinkedIn session.
User2 is the attacker and wants to hijack User1's session.
I'm logging in with the User1 account:
After analyzing the HTTP session parameters I found an interesting cookie:
For User1 it has the following value:
This is the session cookie and it expires after 3 months!
Because session cookies are transferred with each HTTP request and because LinkedIn is using non-encrypted HTTP communication for most of its transactions, it is now very easy to capture the leo_auth_token cookie. Capturing HTTP traffic could be done over a non-secure wireless network or using other techniques like ARP injection, MAC flooding, SNMP hacking,... Maybe in the future I will post some new articles explaining those techniques.
Suppose that User2, our attacker, captured the leo_auth_token cookie using one of the above techniques. He could now open a new browser session and add the captured session cookie to the list of cookies using a cookie editor (for this excercise we cleared all the existing cookies).
After adding the captured cookie to the browser, User2 enters the following URL to edit a LinkedIn profile:
The magic happens:
We hijacked User1's session!
Now we can easily edit User1's profile:
In the same way we could list contacts, add contacts, remove contacts, read messages and send 'spoofed' messages to the contacts,...
Because the LinkedIn session cookie is stored for 3 months and most of the LinkedIn users are never logging out a session, an attacker has plenty of time to fool with someone's profile after capturing the session cookie over a non-secured HTTP connection.
Hijacking a LinkedIn session is really easy!
LinkedIn is just not safe enough. They should definitely switch to HTTPS-only and use session cookies with larger values and with shorter expiration times!
Something to think about when using LinkedIn as a social media platform for professional purposes!