Researchers: LinkedIn Intro is a Man-in-the-Middle Attack

Researchers at Bishop Fox said that LinkedIn is doing nothing less than “hijacking email” and effecting the equivalent of a man-in-the-middle attack
Researchers at Bishop Fox said that LinkedIn is doing nothing less than “hijacking email” and effecting the equivalent of a man-in-the-middle attack

“We have extended Apple’s built-in iOS Mail app, a feat that many people consider to be impossible,” LinkedIn noted in announcing the perk, adding, “We bent technology to our will.” Outgoing emails receive an additional signature. Incoming emails receive additional LinkedIn profile data.

But security researchers at the Bishop Fox consultancy said that the business-focused social network is doing nothing less than “hijacking email” and effecting the equivalent of a man-in-the-middle attack.

“Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers,” Bishop Fox analysts Vinnie Liu and Carl Livitt explained in a blog. “You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like.”

They added, “if I were the NSA…and I hear everyone’s mobile phones were routing their emails through LinkedIn…well I know where I’m having my next birthday party.”

Of course, there’s no evidence that LinkedIn is snooping or otherwise using the data for any purpose other than to offer the aforementioned functionality. "We take the privacy and security of our member's data very seriously and have taken a thoughtful approach to ensure we've put the right security precautions in place for the LinkedIn Intro product," a spokesperson told Infosecurity

Nonetheless, the exposure of Apple mail information to a third-party external drain is in and of itself cause for concern, the researchers asserted.

“You use your email to stay in touch with everyone in your life from your family to your friends to your business associates,” they said. “And you may exchange particularly sensitive messages with certain people like your lawyer, doctor, psychotherapist, or spiritual advisor. These communications are generally legally privileged and can’t be used as evidence in court – but only if you keep the messages confidential. It’s also likely that Intro violates most companies’ security and information-sharing policies, which usually command employees to not share sensitive data with third-parties.

Bottom line, according to Bishop Fox? “If you let a third party have access to your privileged email, you could be waiving important legal protections.”

The researchers also said that the introduction of new data sources into “a medium rife with security issues” – i.e., email – opens up a new vector for phishing and, because LinkedIn is appending a signature on the end of emails, official signatures can no longer be verified.

And finally, there are unanswered technical questions, the researchers noted. “Do the LinkedIn Intro servers mandate the use of SSL/TLS for all traffic?”, they pondered. “Does the Intro app redirect all of the accounts on your phone, or just one that you nominate? Can you opt out of the man-in-the-middle attack feature?”

For its part, LinkedIn reponded to Infosecurity’s request for comment with a list of security precautions:

  • We have isolated the Intro environment as a separate high security segment from the rest of LinkedIn systems as a matter of best practice.
  • We hardened all the services that are running the platform that are Internet and internally exposed
  • We conducted a review with an outside vendor to inspect the code dealing with transmission of credentials and handling email content. Any vulnerabilities identified were remediated.
  • We ensured that credentials and mail content are never stored unencrypted.
  • We continuously monitor this environment for security and availability issues.

It also published a Privacy Pledge meant to address some of the concerns. Notably, LinkedIn said that it doesn’t cache user information (such as passwords or the mails themselves) for longer than an hour (and in many cases, more like a few minutes):

During usage, the servers may temporarily cache your emails in order to make emails download faster. When your device starts to download a mail folder, such as your inbox, the servers will pre-emptively download and cache recent messages in that folder. A few seconds later, when your device downloads the individual messages, the servers will provide the cached messages. Your messages are only cached until your device downloads them, and never for more than 1 hour. Typically, your messages are cached for no more than a few minutes.

All cached information is held securely to industry standards. Each piece of data is encrypted with a key that is unique to you and your device, and the servers themselves are secured and monitored 24/7 to prevent any unauthorized access.


What’s hot on Infosecurity Magazine?