Feeds

back to article LinkedIn snaps shut OAuth login token snaffling vulnerability

Facebook-for-bosses website LinkedIn has fixed a security vulnerability that potentially allowed anyone to swipe users' OAuth login tokens. The flaw came to light after British software developer Richard Mitchell discovered part of the LinkedIn's customer help website handed out the private OAuth token of the logged-in user. …

COMMENTS

This topic is closed for new posts.
Silver badge

Social Media

"It's great that the farmer lets us pigs stay in his barn for free, but it's really nice he brings that free food round every day"

If you're using it and you're not paying for it, you're not the customer, you're the product being sold. WHich is even more true on LinkedIn!

1
0

Re: Social Media

Except for when people pay for it?

0
0
Anonymous Coward

Re: Social Media

you're not wrong there - The whole reason behind LinkedIn is to sell yourself shirely?

1
0
Silver badge

Argggggh

Using user-generated headers/tokens for security purposes.... Noooooooooo!

Also:

"The fix involved disabling requests without HTTP referrers, according to Mitchell."

Errrrm, I don't see how this helps!

4
0

Re: Argggggh

Don't see how it helps?

Why - it makes them go to the actual bother of spoofing the referer properly rather than just suppressing it. Adds whole seconds to the miscreant's timeline.

2
0
Facepalm

" I fixed LinkedIn OAuth security bug and all I get is this lousy T-shirt" LOL

3
0

Look behind you! A three-headed monkey!

0
0
This topic is closed for new posts.