back to article LinkedIn snaps shut OAuth login token snaffling vulnerability

Facebook-for-bosses website LinkedIn has fixed a security vulnerability that potentially allowed anyone to swipe users' OAuth login tokens. The flaw came to light after British software developer Richard Mitchell discovered part of the LinkedIn's customer help website handed out the private OAuth token of the logged-in user. …

COMMENTS

This topic is closed for new posts.
  1. Velv

    Social Media

    "It's great that the farmer lets us pigs stay in his barn for free, but it's really nice he brings that free food round every day"

    If you're using it and you're not paying for it, you're not the customer, you're the product being sold. WHich is even more true on LinkedIn!

    1. Deano2099

      Re: Social Media

      Except for when people pay for it?

    2. Anonymous Coward
      Anonymous Coward

      Re: Social Media

      you're not wrong there - The whole reason behind LinkedIn is to sell yourself shirely?

  2. Jamie Jones Silver badge

    Argggggh

    Using user-generated headers/tokens for security purposes.... Noooooooooo!

    Also:

    "The fix involved disabling requests without HTTP referrers, according to Mitchell."

    Errrrm, I don't see how this helps!

    1. Colin Millar

      Re: Argggggh

      Don't see how it helps?

      Why - it makes them go to the actual bother of spoofing the referer properly rather than just suppressing it. Adds whole seconds to the miscreant's timeline.

  3. 23de3d3e34
    Facepalm

    " I fixed LinkedIn OAuth security bug and all I get is this lousy T-shirt" LOL

  4. davidp231

    Look behind you! A three-headed monkey!

This topic is closed for new posts.

Other stories you might like