Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Researchers Flag Security Flaws In New LinkedIn Offering

LinkedIn's new "Intro" tool could be a security nightmare waiting to happen, researchers warn

A new LinkedIn feature designed to familiarize users with their email partners could introduce a slew of security problems to enterprises and individuals who use it, researchers said this week.

The new feature, LinkedIn Intro, enables iPhone users to route their email through LinkedIn so that they can get background on an email sender or receiver before they write. The feature helps the user become more familiar with their email partners, LinkedIn says.

But security experts say the new feature is deeply flawed and potentially dangerous to the user's personal privacy -- and, by extension, to any enterprise that allows employees to use LinkedIn via the corporate network.

"Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers. You read that right," states the security consulting firm Bishop Fox in a blog about the new LinkedIn feature. "Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like.

The blog continues: "'But that sounds like a man-in-the-middle attack!' I hear you cry. Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing."

Other security experts also flagged the potential security vulnerabilities in the new LinkedIn feature.

"To give them credit, from the engineering point of view it is pretty nifty. But from the security and privacy point of view it sends a shiver down my spine," said Graham Cluley, an independent security researcher, in a blog post. "LinkedIn also scooped up the contents of users' iOS calendars, including sensitive information such as confidential meeting notes and call-in numbers -- which they then transmitted in plain text, not encrypted."

In fact, Intro could create problems for encrypted email, the Bishop Fox blog says. "Cryptographic signatures will break because LinkedIn is rewriting your outgoing emails by appending a signature on the end," Bishop Fox states. "This means email signatures can no longer be verified. Encrypted emails are likely to break because of the same reason – extra data being appended to your messages."

The approach of the new feature could also create legal problems for email users because it changes the content of the email and interferes with confidentiality rules, Bishop Fox states.

"[LinkedIn] calls it 'doing the impossible,' but some might call it 'hijacking email,'" the blog says.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
patligalli
50%
50%
patligalli,
User Rank: Apprentice
10/25/2013 | 9:21:40 PM
re: Researchers Flag Security Flaws In New LinkedIn Offering
thanks for the news , I am probably going to remove from my Iphone...
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31618
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...