LinkedIn’s domain name was temporarily redirected to a third-party server Thursday, which resulted in a service outage and potentially put user accounts at risk of compromise.
Uptime monitoring service Pingdom recorded that LinkedIn was unavailable between 2:21 a.m. and 6:16 a.m. U.K. time. Some users trying to access the website saw a domain parking page offering the domain for sale, according to user reports on Hacker News.
During the outage, LinkedIn’s customer service team said on Twitter that the problem was caused by a DNS (Domain Name System) issue, but did not specify why it occurred.
Bryan Berg, co-founder of the App.net social feed service, described the issue as a DNS hijacking and said that LinkedIn’s traffic was directed to the network of a company called Confluence Networks. Because LinkedIn does not use SSL by default, users who tried to access the site during the incident might have exposed their session cookies in plain text to another server, he said.
Session cookies are text files containing unique IDs that websites set in browsers in order to remember authenticated users. Attackers who steal a user’s session cookie can put it into their own browser and access that user’s account.
“Starting few hours ago, we received reports about some sites (including linkedin.com) pointing to IPs [Internet Protocol addresses] allotted to our ranges,” Confluence Networks said in a notice published on its website. “We are in touch with the affected parties & our customer to identify the root cause of this event.”
Confluence Networks describes itself as a colocation and network services provider that has business relationships with data centers in various geographical regions.
In a later update, the company noted that it received verification that the issue was caused by human error and was not security related.
The company did not immediately respond to a request for comment seeking more information about the incident and the names of other websites that have been redirected to its network.
“For a short time early on Thursday morning, linkedin.com was not accessible to a majority of our members,” LinkedIn spokesman Darain Faraz said via email. “We have been told by the company that manages our domain that this was due to an error made on their end. Our team was able to quickly address the issue, and the site is returning to normal.”
From a technical standpoint, the incident could have security implications for LinkedIn users, according to Bogdan Botezatu, a senior e-threat analyst at security vendor Bitdefender.
“As the hijack took place at the DNS level, chances are that the cookies have been sent to the wrong website if the user has not enabled the SSL security feature via the LinkedIn Account Settings,” he said via email.
Unlike other online service providers such as Google or Twitter, which use HTTPS (HTTP Secure) by default for all connections and therefore encrypt them with SSL, LinkedIn supports SSL only as an option.
Cookies have an attribute called “Secure” that can be used to instruct the browser to only transmit them over secure, HTTPS connections. However, if SSL is not used, cookies have the Secure value set to false and can be sent in plain text over HTTP, Botezatu said.
“Since LinkedIn cookies appear to have a lifespan of roughly three months and we don’t know whether they have been collected by the rogue end-website, changing the account password would be the wisest choice now,” he said.
In an updated statement sent via email LinkedIn said that the incident occurred Wednesday evening, that it wasn’t caused by malicious activity and that it doesn’t believe any LinkedIn member data was compromised in any way.
Updated at 10:45 a.m. PT with additional comment from LinkedIn.