Researchers Flag Security Flaws In New LinkedIn Offering
LinkedIn's new "Intro" tool could be a security nightmare waiting to happen, researchers warn
A new LinkedIn feature designed to familiarize users with their email partners could introduce a slew of security problems to enterprises and individuals who use it, researchers said this week.
The new feature, LinkedIn Intro, enables iPhone users to route their email through LinkedIn so that they can get background on an email sender or receiver before they write. The feature helps the user become more familiar with their email partners, LinkedIn says.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Innovations in Integration: Achieving Holistic Rapid Detection and Response
- Optimize Your SQL Environment for Performance & Flexibility
But security experts say the new feature is deeply flawed and potentially dangerous to the user's personal privacy -- and, by extension, to any enterprise that allows employees to use LinkedIn via the corporate network.
"Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers. You read that right," states the security consulting firm Bishop Fox in a blog about the new LinkedIn feature. "Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like.
The blog continues: "'But that sounds like a man-in-the-middle attack!' I hear you cry. Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing."
"To give them credit, from the engineering point of view it is pretty nifty. But from the security and privacy point of view it sends a shiver down my spine," said Graham Cluley, an independent security researcher, in a blog post. "LinkedIn also scooped up the contents of users' iOS calendars, including sensitive information such as confidential meeting notes and call-in numbers -- which they then transmitted in plain text, not encrypted."
In fact, Intro could create problems for encrypted email, the Bishop Fox blog says. "Cryptographic signatures will break because LinkedIn is rewriting your outgoing emails by appending a signature on the end," Bishop Fox states. "This means email signatures can no longer be verified. Encrypted emails are likely to break because of the same reason – extra data being appended to your messages."
The approach of the new feature could also create legal problems for email users because it changes the content of the email and interferes with confidentiality rules, Bishop Fox states.
"[LinkedIn] calls it 'doing the impossible,' but some might call it 'hijacking email,'" the blog says.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.