Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

LinkedIn Intro Service Triggers Security, Privacy Fears

LinkedIn wants to scans your emails to add more information about the sender, raising the hackles of security and privacy advocates.

LinkedIn: 10 Important Changesr
(click image for larger view and for slideshow)
LinkedIn: 10 Important Changes
Is the new LinkedIn Intro service for iPhone users safe to use?

"LinkedIn Intro is an email service that helps you be brilliant with people," according to a related overview published by LinkedIn, which also details how Google Apps administrators can block employees from using the service.

"When people email you, we show you their LinkedIn profile: you can put faces to names, write more effective emails, and establish rapport," reads LinkedIn's pitch. "You can grow your professional network by connecting with them on LinkedIn."

There's just one catch: To use the service, a LinkedIn user must route all of their emails through LinkedIn's so-called "Intro" servers, which then scan the emails for certain types of content, and -- at least temporarily -- store the passwords to users' external email accounts. "The servers use software to extract information from each message: for example, the sender's email address is extracted, so that the servers can search for their LinkedIn profile to include in the message," according to LinkedIn's overview.

[ Will the federal government like this service? Read Feds Warm Up To LinkedIn. ]

To accomplish this task, the servers may temporarily cache a user's password, presumably before generating an OpenID identifier that's then stored on the iPhone, and used to handle future authentication. "During installation, the servers temporarily cache your password in order to add a new Mail account to your device," according to LinkedIn. "Your password is only cached for the length of time it takes to install Intro, and never for more than two hours. Typically, your password is cached for no more than one minute."

But is it secure? A blog post from LinkedIn senior software engineer Martin Kleppmann is 97% a breathless explanation of how the technology -- gained via the company's 2012 acquisition of "rich contact profile" firm Rapportive -- functions, although there is a short "security and privacy" coda. "We understand that operating an email proxy server carries great responsibility," it reads. "We respect the fact that your email may contain very personal or sensitive information, and we will do everything we can to make sure that it is safe. Our principles and key security measures are detailed in our pledge of privacy."

Despite those assurances, the new LinkedIn product has raised the eyebrows of some security and privacy experts. "To give them credit, from the engineering point of view it is pretty nifty. But from the security and privacy point of view it sends a shiver down my spine," said Graham Cluley, an independent security researcher, in a blog post. In no small part, he said, that's due to the company having lost 6.5 million users' passwords last year. The breach only came to light after a hacker posted the passwords to a password-cracking forum.

But that's not the only questionable information security and privacy behavior on LinkedIn's part, he added. "LinkedIn also scooped up the contents of users' iOS calendars, including sensitive information such as confidential meeting notes and call-in numbers -- which they then transmitted in plain text, not encrypted," meaning that the information could have been easily intercepted by attackers. "LinkedIn is also, currently, the subject of a lawsuit alleging that they hacked into email accounts, in an attempt to mine address books," he said.

Others have flagged the degree of control that LinkedIn would enjoy, thanks to the technical setup. "LinkedIn Intro will Man-in-the-Middle user's IMAP connections to inject content from @LinkedIn profiles," tweeted Runa A. Sandvik, who's a core member of the Tor Project.

In other words, LinkedIn Intro inserts itself in between a user's mail client -- currently only for iOS, although the company plans to expand the service in the future -- and their email service's IMAP server, via an IMAP proxy server. Having access to a user's IMAP mailbox would also allow LinkedIn to scan all previously sent and received emails stored therein.

On the advertising front, LinkedIn's overview promises that "we will never sell, rent or give away private data about you or your contacts." Still, such scanning could be used to serve targeted advertising, as Google does, although the company appears to disavow that possibility. "Some products track the contents of your emails in order to show you advertising. LinkedIn Intro does not do that," according to the Linked Intro overview.

What LinkedIn will do, however, is watch for email recipients who aren't LinkedIn users. "If you are not connected with the person on LinkedIn, we may later suggest them as a connection on the LinkedIn website and in our other mobile apps," according to the overview.

Legally speaking, however, Google is currently embroiled in a lawsuit over its automated scanning of Gmail messages -- to serve related advertising -- based in part on the fact that it doesn't allow email senders who aren't using Gmail to opt out of the scanning. In the case of LinkedIn, it's arguably only looking for information about other LinkedIn members. But by scanning everyone's message, it might open itself up to accusations of wiretapping, as have been alleged in the consumer suit against Google.

A LinkedIn spokesman, contacted via email, wasn't immediately able to respond to an emailed request for comment about exactly what types of data Intro will collect beyond email addresses, whether it will scan emails stored on a user's IMAP server that date from before they sign up to Intro, or whether the technology underpinning the service might open LinkedIn to wiretapping charges from people whose emails are scanned, but who haven't signed up for the service.

Update -- LinkedIn has released additional information about its LinkedIn Intro program, emphasizing that it's an opt-in service. "Once you install Intro, a new Mail account is created on your iPhone. Only the email in this new Intro Mail account goes via LinkedIn; other Mail accounts are not affected in any way," it said. In addition, it noted that all related communications are fully encrypted, and that emails are only accessed when retrieved by LinkedIn from the mail server and sent to the iPhone. "LinkedIn servers automatically look up the 'From' email address, so that Intro can then be inserted into the email," it said.

A LinkedIn spokeswoman declined to address the wiretapping question.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
David F. Carr
David F. Carr,
User Rank: Apprentice
10/26/2013 | 6:31:51 PM
re: LinkedIn Intro Service Triggers Security, Privacy Fears
I've been using Rapportive with Gmail for a couple of years and find it useful for providing social context around my email correspondence, making it easy to see who I'm communicating with and a little bit about them, as well as whether I have an existing social network connection with them or might want to establish one.

As long as LinkedIn sticks to suggesting possible connections, rather than automatically adding them, I don't see why this is a problem.
User Rank: Apprentice
10/25/2013 | 8:33:28 AM
re: LinkedIn Intro Service Triggers Security, Privacy Fears
This information may also have come from the person that LinkedIn suggests that you connect to. Meaning if you ever email John Doe, and John agreed to let LinkedIn "scan" his email and glean contact details, it may have found the connection that way.
User Rank: Apprentice
10/24/2013 | 8:14:46 PM
re: LinkedIn Intro Service Triggers Security, Privacy Fears
I've noticed that linked-in and facebook (others?) apparently are harvesting e-mail addresses from somewhere. Both offer to pair me up with people I have no real connection to but did exchange e-mail many years ago. At first I thought some of the offered linkups were simply analysis of interconnection via the info on their web sites but for many of these there really is no plausible way that a connection could have been obtained other than via harvesting personal information.
NJ Mike
NJ Mike,
User Rank: Apprentice
10/24/2013 | 6:20:04 PM
re: LinkedIn Intro Service Triggers Security, Privacy Fears
OK, so if I'm on LinkedIn, and I choose not to use this "service", but I send an email to somebody (who is not on my connection list) who does use it - my email will get scanned and information from my profile will be sent to them.
Gee, LinkedIn keeps giving more reasons to close my account.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Will This Be the Year of the Branded Cybercriminal?
Raveed Laeb, Product Manager at KELA,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.
PUBLISHED: 2020-01-17
In Gallagher Command Centre Server versions of v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an unprivileged but authenticated user is able to perform a backup of the Command Centre databases.
PUBLISHED: 2020-01-17
In Gallagher Command Centre Server v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an authenticated user connecting to OPCUA can view all data that would be replicated in a multi-server setup without p...