The problem, he told the Reuters newswire, centers on the LEO_AUTH_TOKEN cookie, which is stored on the users' computer for up to a year in an unencrypted format.
This makes the cookie 'sniffable' using several commonly-used IP transmission analysis packages – and means that a user logging in via a WiFi connection on a train or public place such as an airport or cafe, could find the cookie being eavesdropped, and then used to access the account from a third-party computer.
According to Narang, in a technical posting to his wtfuzz.com security blog over the weekend, the cookie sniffing issue could be a problem for LinkedIn users who regularly access the site via public WiFi connections.
LinkedIn moved swiftly over the weekend to counter the comments from the Indian IT security researcher, and said it has already taken steps to secure its members' accounts.
"LinkedIn takes the privacy and security of our members seriously", the firm said in a press statement.
"Whether you are on LinkedIn or any other site, it's always a good idea to choose trusted and encrypted WiFi networks or VPNs (virtual private networks) whenever possible", said LinkedIn.
As part of its response, LinkedIn told Reuters that it is preparing to offer opt-in SSL support for other parts of the site, an option that would cover encryption of those cookies. The company said it expected the security feature to be made available in the coming months.
The press response, however, did not address Narang's security comments directly, Infosecurity notes, most notably as to why the firm stores a cookie for up to a year on users' computers.
Narang says that the security problem is particularly acute "because LinkedIn's users are not aware of the problem and have no idea that they should be protecting those cookies."
He told Reuters that he had found four cookies with valid LinkedIn access tokens had been uploaded to a LinkedIn developer forum by users who were posting questions about their use.
He claims that, after downloading the cookies, he was "able to access the accounts of the four LinkedIn subscribers."