Feeds

back to article LinkedIn snarfing contacts from Exchange

LinkedIn offers lots of chances for its users to hand over credentials so the social business network can suggest new connections. But a new offer to do so for Microsoft Outlook means contacts can be sucked out of Microsoft Exchange and exposed to the world. Australian sysadmin Adam Fowler noticed the feature and detailed its …

COMMENTS

This topic is closed for new posts.
Bronze badge
WTF?

Why

Is Exchange set up to allow this to happen by default in the first place? Seems more of another one of MS's "undocumented features" thats at fault, rather than LinkedIn's fault for being able to pull this data out from the server in the first place.

inb4eadonsmssecurityfail rant.

10
3
Bronze badge

Re: Why

Should be at least a +2 for this...one for beating Eadon to the punch and another one (or more) for pointing out that the default is wrong in Exchange and LinkedIn is just the first one to be seen falling over it.

3
2
Anonymous Coward

Re: Why

This is a simple example of the kind of data sucking that happens practically everywhere anyway.

To show you how widespread this is, try running WhatsApp without giving it access to your full address book. I think it's even in the T&Cs somewhere that you give them the right to purloin your entire list of contacts.

From an intelligence perspective this stuff is absolutely wonderful because you can quickly grab the entire relationship map of any {suspects/people you don't like/political activist/this year's evil entities} without pesky stuff like probably cause, due process and oversight.

Anyone with ANY concerns about privacy or with a duty to protect clients should really start to rethink using any US based entity. By now I'd rather trust China with my data - at least they're not pretending.

5
1
Anonymous Coward

Re: Why

It's misleading to offer this as an Exchange problem. This is generally a problem with allowing a 3rd party access to personal or corporate resources - this is a general risk with 3rd party apps.

Part of the problem is that especially on mobile devices it's not possible to be selective what you allow. If you could identify a subset of data that you were willing to hand over to the planet the risk would be at least controllable, but apps want all or nothing. Well, all, because having the temerity to insist there are things you don't want to share like location either leads to an app that doesn't work on iOS, or one that doesn't even wants to install on Android, the latter also not allowing you to change your mind later.

Mobile apps are still in their infancy when it comes to protection of information, and I personally don't consider this infantile state a coincidence. The Internet has two currencies, one is bitcoin, the other on is personal information. Only one of them is sort of legal..

1
1
Silver badge
Facepalm

Re: Why

Maybe I'm missing something here - this is a USER problem.

I've read quite a few company Computer Use Policies in my time, and every single one has something about "you should NEVER GIVE YOUR PASSWORD TO ANYONE".

Exchange (like most corporate email offerings) is secure (assuming it hasn't been badly set up) - you need to authenticate before you gain access to the data. You have a username and password that is unique to you, and you are probably at risk of gross misconduct if you give them to someone else. Linkedin are someone else.

12
2
WTF?

Re: Why

I've no idea why anyone would downvote this.

It *is* a user problem. IT Security and HR should be involved in any data leakage investigation.

2
0
Silver badge

Re: Why

Doesn't matter what you disable, your employees will want to see that data via their web based account.

And if they can see it, anyone with their username/password and a note of the web server's address can see it.

Same goes for any email system.

0
0
Bronze badge

Re: Why

No, it's a vendor problem, for defaulting the platform to divulge information in an unwanted way.

But now, for those paid to say so, the problem is for the administrator to gyrate into untold dimensions to accomplish basic frigging corporate security.

What next? A quadruple helix, with quintuple flips to even have a firewall?

Not to self, look up this prostitute and see to it our company never hires it.

Even to rinse out toilets.

0
0

This post has been deleted by a moderator

Bronze badge

Re: Who's bright Idea was this

One can only wish that Exchange and any permutation of Outrage would manage security 101, for a change.

Hell, it took half a decade to get the Exchange team to block default open relays.

Having a choice between Exchange and Sendmail, I'd honestly go Sendmail. Configuring a sendmail.cf is easier than securing Exchange.

1
1
Anonymous Coward

sendmail

It's also stuck in the 70s.

0
0
Silver badge
Mushroom

Another reason

To avoid LinkedIn and MS-Exchange then?

<-- To both of them

4
0
Bronze badge
Happy

Re: Another reason

"To avoid ALL SOCIAL NETWORKING and MS-Exchange then?"

There...fixed it for you.

0
0
FAIL

Outlook insecure?

This has been the case since the Melissa virus in the 90s and why I've never recommended anybody use Outlook. Of course most IT Consultants would rather just have an easy sale and dump M$ stuff to everybody they can.

4
3
Anonymous Coward

Re: Outlook insecure?

Outlook hasn't had any issues with viruses for about a decade...and is about the best enterprise mailbox client that there is.

9
3
Silver badge

Re: Outlook insecure?

Outlook's not insecure in itself. Its the whole 'computing is easy' ethic used by MS to sell 'easy' computing to you when it never was easy, or generally usable to make it properly secure when its too late.

0
0
FAIL

Re: Outlook insecure?

So Outlook users can safely uninstall their anti-virus programs now? No risk of viruses/trojans accessing their address book?

0
4
Bronze badge
WTF?

@ Ben Rose

So I suppose Outlook is the ONLY e-mail client that needs anti-virus programs?

Sure hope your job isn't in IT.

3
1

Re: @ Ben Rose

@ItsNotMe

I responding to "Outlook hasn't had any issues with viruses" - as far as I'm concerned, there are hundreds of nasties out there that will happily spawn themselves to anybody in your Outlook address book. Outlook seems happy to do this, it's also how stuff like LinkedIn can also query your address book without much effort. Try doing that with a secure email program.

As far as I'm concerned, 90% of reasons for having AV installed in the workplace are either IE or Outlook. The other 10% is Windows.

0
2
Anonymous Coward

Re: @ Ben Rose

Please tell me of this secure email program you speak of that is so clever it knows when given a valid username and password, that is authorised to access the enterprise global address book, that it isn't actually the person who the credentials belong to.

0
0
Bronze badge

Re: Outlook insecure?

Yes! Absolutely!

Why, Linkedin didn't even attempt to ask a mac user his address book.

On days that pigs naturally flew.

0
0

Re: @ Ben Rose

@AC 18:30

How about Lotus Notes? There is no username/password, it uses two factor authentication including a physical ID file with secure keys. LinkedIn is more than welcome to try and read our corporate Notes directories.

0
0

You're giving your work login credentials to a third party. Sounds like a potential sacking offence.

9
0
Anonymous Coward

Indeed, this sounds like the kind of thing that a sysadmin would rightly want arsed kicked for, but any attempt would be shot down by a fuckwit manager or hr droid going 'but it's great for networking!'.

Cone to think of it, someone in hr will probably be one of the first offenders.

5
0

LinkedIn getting more and more intrusive

I am getting more and more put off by LinkedIns persistent attempts to scour my contacts. Was genuinely shocked when I saw them asking for my work Outlook account details. I work for a MegaCorp and I just know that loads of MarketingDroids will be merrily plugging in their details.....It is a major security FAIL in the making.

7
0

linked in kb article

http://help.linkedin.com/app/answers/detail/a_id/5025

it tells you how to disable if you want to

0
0
Stop

Both a user and a sysadmin problem

While I certainly agree that there is a problem with an employee that gives 3rd party apps access to corporate data against company rules, any decent sysadmin is going to want to know how to prevent this in the first place. It's very similar to the concept of employees who try to hook up a personal device to the corporate network at the office or over VPN against the company rules. People do these things anyway out of ignorance or arrogance. The competent sysadmin tries to make their network as secure as possible against unauthorized access, even from their own employees.

As an example, my company has a policy that unauthorized mobile devices can use our company wifi but not access certain internal resources. Rather than just have a company rule saying "don't do this" and leave network security to chance, there are network policies in place to ensure unauthorized devices can't access what they shouldn't. If our sysadmins told our management they simply don't need to secure the network against things users were told not to do, they'd be sitting in HR right after the person who violated policy.

1
0
Unhappy

- Would you like to hand over the passwords to all your email accounts, so we can have our way with them?

- Uhm, no thanks!

- OK then, ... how about now?

ETC, for F ever!

0
0
This topic is closed for new posts.