Linkedin Password Leak: Is it over?
Few days back i came across linkedin password leaks on hackernews. Surprised as i was, like everyone else i also checked if my password was hacked, and found that it was not. Being a paranoid, i still went ahead and changed my password on linkedin. And this is where all the fun starts.
I changed my linkedin password in a browser window; and it worked fine, no surprises. The surprise is, all my other devices on which i use linkedin App. I use an android and an iPhone and i have installed linkedin app on both. Like most other people, i am always logged in those apps. The surprise is, even after changing my password, both the apps are still working fine! I was never logged out of any of the Apps saying incorrect password! Ideally i would expect these apps to kick me off and ask for the correct password to log me in.
Seems to me there may be other issues regarding password handling in the linkedin infrastructure. Either the old password hashes are still valid or they are cached in some application layer making it work even when password has been changed.
The implications of this behaviour are huge. Even if you have changed your password, your old password is still valid and working!
The question is: is it only me? or am i missing something obvious about how password changes work these days? Let's see if other people has noticed this too.