Security researchers slam LinkedIn's Intro messaging app
Security researchers are blasting professional networking platform LinkedIn's new Intro email scanning application for Apple's iOS, comparing the service to hacker attacks.
The Intro plug-in essentially redirects e-mail traffic to and from users' iPhones and iPads through LinkedIn's servers, analyzing messages for relevant data and adding corresponding profile information. Messages read via the iPhone Mail app insert the sender's job title, company name and location above the text--and scrolling down reveals the sender's professional summary and a summary of the strongest mutual LinkedIn connections between the sender and recipient.
Researchers say that Intro's redirection model recalls so-called "man-in-the-middle" cyberattacks, where hackers intercept and exploit Internet traffic en route to its intended recipient.
"LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like," security consulting group Bishop Fox writes in a blog post. "'But that sounds like a man-in-the-middle attack!" I hear you cry.' Yes. Yes it does. Because it is. That's exactly what it is. And this is a bad thing. If your employees are checking their company email, it's an especially bad thing."
Fox goes on to explain that Intro essentially violates attorney-client privilege because messages routed through LinkedIn's servers are no longer confidential. The firm also contends that LinkedIn is storing private communications and changing device security profiles, which likely violates corporate security policies. "If your company's policy (e.g., security, confidentiality, data classification, email) has anything about not disclosing sensitive data, it more likely says something like 'Do not share sensitive data with third-parties.' You're probably violating that by installing Intro."
Richard Bejtlich, chief research officer at computer security company Mandiant, told The New York Times he is "flabbergasted" by Intro. "I worry LinkedIn is not going to treat this as the holy grail for people's email, even though it is," Bejtlich says. "The risk is that you essentially trust a box, run by LinkedIn, with your e-mail. It's a target for someone who wants to get to your email. All the fears people now have about email--that they will be intercepted by intelligence agencies, for instance--are present."
LinkedIn defended Intro on its blog. "When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios," writes LinkedIn information security manager Cory Scott. "It's important to note that we simply add an email account that communicates with Intro. The profile also sets up a certificate to communicate with the Intro web endpoint through a web shortcut on the device. We do not change the device's security profile in the manner described in a blog post that was authored by security firm Bishop Fox on Thursday."
LinkedIn adds job application functionality to iOS, Android apps
LinkedIn mobile engagement jumps 40 percent in Q2 after apps revamp
LinkedIn apps for iOS, Android expand search to jobs, companies and groups
LinkedIn revamps iPhone, Android apps with new personalization features