Related Stories

  • LinkedIn Shuts Down Four XSS Flaws
    LinkedIn has closed the door on four cross-site scripting (XSS) vulnerabilities, which could have been used to ultimately steal credentials from users.
  • LinkedIn Denies Spamming, Tapping User Email
    LinkedIn has categorically rejected allegations that it makes a practice of tapping into users' private email accounts and exploiting their contact lists to send spam – charges brought forth in a class-action lawsuit filed last week.
  • LinkedIn adds two-factor authentication
    In the wake of high-profile Twitter and Facebook hackings and about a year after it experienced a password heist, LinkedIn is beefing up its security: it has become the latest web denizen to join the optional two-factor verification fray, and is now offering free trials of security software to users.
  • LinkedIn's $5M class-action data breach lawsuit dismissed
    A $5 million class-action suit brought against networking site LinkedIn concerning a significant June 2012 data breach has been dismissed after a US District Court judge ruled the breach as “abstract” rather than resulting in actual harm.
  • LinkedIn, Facebook spam spreads trojans
    A LinkedIn and Facebook-related spam campaign is celebrating the New Year in a way guaranteed to take all of the festivity out of the air: by spreading malware and stealing personal data from the social networks' members.

Top 5 Stories


Researchers: LinkedIn Intro is a Man-in-the-Middle Attack

26 October 2013

LinkedIn has released a new product called Intro, which shows users' LinkedIn profiles from inside the native iPhone mail client. Members can, at-a-glance, see the profile picture of the person who’s emailing, learn more about their background, and connect on LinkedIn. It sounds like another step in the march to hyper-connected convenience, but at least one research group has raised security concerns over the functionality.

“We have extended Apple’s built-in iOS Mail app, a feat that many people consider to be impossible,” LinkedIn noted in announcing the perk, adding, “We bent technology to our will.” Outgoing emails receive an additional signature. Incoming emails receive additional LinkedIn profile data.

But security researchers at the Bishop Fox consultancy said that the business-focused social network is doing nothing less than “hijacking email” and effecting the equivalent of a man-in-the-middle attack.

“Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers,” Bishop Fox analysts Vinnie Liu and Carl Livitt explained in a blog. “You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like.”

They added, “if I were the NSA…and I hear everyone’s mobile phones were routing their emails through LinkedIn…well I know where I’m having my next birthday party.”

Of course, there’s no evidence that LinkedIn is snooping or otherwise using the data for any purpose other than to offer the aforementioned functionality. "We take the privacy and security of our member's data very seriously and have taken a thoughtful approach to ensure we've put the right security precautions in place for the LinkedIn Intro product," a spokesperson told Infosecurity

Nonetheless, the exposure of Apple mail information to a third-party external drain is in and of itself cause for concern, the researchers asserted.

“You use your email to stay in touch with everyone in your life from your family to your friends to your business associates,” they said. “And you may exchange particularly sensitive messages with certain people like your lawyer, doctor, psychotherapist, or spiritual advisor. These communications are generally legally privileged and can’t be used as evidence in court – but only if you keep the messages confidential. It’s also likely that Intro violates most companies’ security and information-sharing policies, which usually command employees to not share sensitive data with third-parties.

Bottom line, according to Bishop Fox? “If you let a third party have access to your privileged email, you could be waiving important legal protections.”

The researchers also said that the introduction of new data sources into “a medium rife with security issues” – i.e., email – opens up a new vector for phishing and, because LinkedIn is appending a signature on the end of emails, official signatures can no longer be verified.

And finally, there are unanswered technical questions, the researchers noted. “Do the LinkedIn Intro servers mandate the use of SSL/TLS for all traffic?”, they pondered. “Does the Intro app redirect all of the accounts on your phone, or just one that you nominate? Can you opt out of the man-in-the-middle attack feature?”

For its part, LinkedIn reponded to Infosecurity’s request for comment with a list of security precautions:

  • We have isolated the Intro environment as a separate high security segment from the rest of LinkedIn systems as a matter of best practice.
  • We hardened all the services that are running the platform that are Internet and internally exposed
  • We conducted a review with an outside vendor to inspect the code dealing with transmission of credentials and handling email content. Any vulnerabilities identified were remediated.
  • We ensured that credentials and mail content are never stored unencrypted.
  • We continuously monitor this environment for security and availability issues.

It also published a Privacy Pledge meant to address some of the concerns. Notably, LinkedIn said that it doesn’t cache user information (such as passwords or the mails themselves) for longer than an hour (and in many cases, more like a few minutes):

During usage, the servers may temporarily cache your emails in order to make emails download faster. When your device starts to download a mail folder, such as your inbox, the servers will pre-emptively download and cache recent messages in that folder. A few seconds later, when your device downloads the individual messages, the servers will provide the cached messages. Your messages are only cached until your device downloads them, and never for more than 1 hour. Typically, your messages are cached for no more than a few minutes.

All cached information is held securely to industry standards. Each piece of data is encrypted with a key that is unique to you and your device, and the servers themselves are secured and monitored 24/7 to prevent any unauthorized access.


This article is featured in:
Application Security  •  Identity and Access Management  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×