LinkedIn Data Security Vulnerabilities Exposed After IPO Launch

Photo: Mario Sundar/Flickr (CC)

LinkedIn receives its first crisis management moment as a publicly trade company after a data security report found that the accounts of its more than 100 million registered users are vulnerable to social media hackers.

After its booming IPO launch on May 20, 2011, LinkedIn has been all over the news, evoking the steamy tech boom of the 1990s. Before short sellers could calculate and trade on their escalating earnings, independent data security consultant Rishi Narang posted the results of his LinkedIn website scanning report on May 21, revealing the social media company's cookie-related vulnerabilities.

It seems that those tiny files that make it easier for users to gain access to their LinkedIn social media profile also create a greater risk of hacking, according to Narang.

Social Media Insecurity

Like many web-based companies, LinkedIn uses cookies to store computer session information for its users. Unlike many web-based companies, LinkedIn earned a market value of $4.3 billion within the course of a couple of days. The vulnerability to LinkedIn users' accounts comes with costs to its booming brand as the potential Google of the decade.

Narang reports finding two security vulnerabilities with the LinkedIn website. One relates to its cookies not using a secure flag, resulting in session credentials transferring in plain text and subjecting it to third-party exploitation. The second vulnerability is that LinkedIn's cookies expire in a year and they are not canceled when a user logs out. An attacker can more easily intercept data during these plain text session and gain access to a user's profile account.

Social media "profile hijacking" ranks up there with getting a computer virus. No user wants to discover a compromise to their social media profile -- communicating unknown messages to some of their most valued contacts. Suffice it to say, data security vulnerability announcement was not a good day for LinkedIn or those who had just invested a boat load of money into the company.

Responding to Data Security Scares

LinkedIn, like any other mid-sized company, should be ready to respond quickly to a data security problem that can become a media problem that exposes a brand to consumer doubt. As expected, a LinkedIn spokesperson immediately announced that the company was working on improvements to the cookies vulnerabilities, including reducing their lifespans from a year to 90 days. The company also plans to give users the ability to opt into SSL supported HTTPS pages, a move that Facebook offered its users early in the year.

While not mentioning LinkedIn's data security vulnerability, business news headlines since the announcement includes Bloomberg's "Why LinkedIn Bears Like Haverty Say Plunge Is Inevitable" and South Africa's Business Day's "LinkedIn 'magic show' will end in tears -- analysts". It is difficult to predict how this year's IPO-darling's story will play out. How well LinkedIn is able to respond to the microscopic attention to its business operations, however, will inevitably impact its ability to keep the substantial amount of market value it has been able to secure in a very short amount of time.