Security

LinkedIn DNS hijacked, traffic rerouted for an hour, and users’ cookies read in plain text

Above: A Linked-pen

App.net cofounder Bryan Berg noticed that LinkedIn was DNS-hijacked tonight and that traffic was rerouted to a shady India-based site, http://www.confluence-networks.com. That’s bad for LinkedIn, but there’s worse news for you.

According to Berg, that site does not require SSL (secure sockets layer), which means that anyone who visited in the last hour or so sent it their long-lived session cookies in plain text … a potential security risk.

DNS hijacking is the process of redirecting a domain name to a different IP address. IP addresses are strings of numbers that identify a server, but they’re long and hard to remember. The DNS system allows us to use simple, easy-to-remember names like http://www.linkedin.com, and it then translates them to IP address like 216.52.242.86.

(You can also use that IP address, by the way, in your browser.)

You can hijack a company’s DNS on the client side by hacking individual computers’ network configurations and on the Internet side by hacking a DNS server — or by installing a rogue DNS server that masquerades as a real DNS server. Alternatively, if you can access a company’s domain records, you can change the IP address associated with that company’s web services.

DownRightNow shows that LinkedIn had a service interruption from about 6 p.m. tonight and lasting until now.

linkedin down

However, I’m able to access the actual LinkedIn service right now, so the site must be up and available for at least some users, or maybe the DNS hijack has only affected a percentage of users.

LinkedIn acknowledged the issue on Twitter but has not updated to say that it is completely resolved yet:

The big question right now is what consequences this might have for users who inadvertently accessed the wrong servers and potentially gave away cookie data that could compromise their accounts.

Image credit: Sheila Scarborough/Flickr

blog comments powered by Disqus