LinkedIn iOS application stores the user’s authentication tokens (authToken) and session cookie values in a plist file com.Linkedin.LinkedIn.plist inside /Library/Preferences/ folder under application home directory. If someone obtains the plist file they can log into the LinkedIn application without supplying the username and the password as it contains the user’s authTokens and app cookies.
Storing the authTokens in the plist file is a bad design idea. The problem is well explained in scoopz blog. In addition to that, LinkedIn does not expire the authTokens even after a user logged out from the application. Upon logout, instead of removing the tokens & cookies from the server, it only removes the tokens stored in the client side plist file. So after logout if we copy the old plist file which had user authentication token, it will log you in.
It is possible to replace the plist file even on a non jailbroken iPhone.
Steps to verify:
1. Log into LinkedIn iPhone app.
2. Connect the iPhone to workstation over USB. Install iExplorer on workstation and open it.
3. With iExplorer navigate to LinkedIn application preferences directory and copy the com.linkedin.LinkedIn.plist file to local drive.
4. On iPhone, logout from the LinkedIn app.
5. Now if you open the app it will prompt you for the credentials.
6. From iExplorer, drag the copied com.LinkedIn.LinkedIn.plist file to LinkedIn preferences folder.
7. Now if we open the LinkedIn iPhone app, it will log you in.
Sequence of steps listed above shows that clicking on the sing out button does not terminate the user’s session on the LinkedIn server.
The iPhone also backups the LinkedIn plist file during iTunes backup. So if someone get access to the iTunes backups, it is very easy to get hold of the LinkedIn plist file with an authentication token which never gets expire.
I have reported the problem to LinkedIn a couple of months ago. I haven’t received any reply. I don’t like to be follow-up with them because they don’t have a bug bounty program. Anyhow it is a session expiration problem and I felt there is no harm in revealing this information in a blog post 🙂