Security Problem Is Yet Another Hole in LinkedIn's Overinflated Stock Price
A newly discovered problem with LinkedIn's (LNKD) security punches yet another hole in the argument that its still-lofty valuation is justified. The security hole lets hackers take control and even alter the profiles of LinkedIn users. If LinkedIn hopes to add to its earnings by selling data from its users, how much is that data worth if it's wrong -- or if it could be had for free?
On Saturday, researcher Rishi Narang posted on his blog that he had found a way to easily hijack LinkedIn profiles by "capturing" cookies created in the use of the site.
How the cookie crumbles
Narang reported that hackers can easily access cookies LinkedIn issues after the user successfully logs into his profile. Among those cookies -- small data files typically stored on a user's computer -- is one that tells the server the user is already authenticated, and so doesn't need to keep resubmitting a password. Narang says a hacker can easily get hold of these cookies thanks to the insecure way LinkedIn handles and broadcasts them.
"In just 15 minutes, I was successfully able to access multiple active accounts that belong to individuals from different global locations," Narang wrote. As a result of this hole, attackers could access these hacked accounts even after their password change, as cookies remain valid anyway. In fact, they're good for an entire year.
In response to this, LinkedIn announced it was cutting the time the cookies remain valid to three months. Doesn't that make you feel better? Further, the company said it was going to extend the option of signing in over a secure (SSL) connection to members "on an opt in basis."
Why make user security an opt-in? LinkedIn only knows.
And how LinkedIn's model could crumble, too
What this has to do with the company's helium-filled stock price is simple. Probably the most lucrative way for the business-networking site to make money is by data mining. (See Facebook, confessions of here and here and ...) Well, what does it say when the data in question is so easily falsified, let alone that it's possible to get access to it for free?
Add the fact that a lot of the data is out of date because so many users spend so little time on the site and its value drops even farther.
This is one reason so many bears are now circling around LinkedIn's stock price. Analysts say that if you look less at the hype and more at things like estimated earnings before interest, taxes, depreciation and amortization, LinkedIn's stock should trade 60 percent below yesterday's closing price of $88.30. Even that price is down nearly a quarter from last week's high of $122.70.
A rational market! That may be what LinkedIn's investors fear the most.
Related:
