Email-sniffing Linkedin Intro NOT security threat, insists biz network LinkedIn, the social network for suits, has come out in defence of its LinkedIn Intro app after security researchers panned it for making users' emails vulnerable to hackers. LinkedIn Intro is an iOS application that allows iPhone or fondleslab users to route their email through so that they receive background information on …
After LinkedIn suffered a world-class hacking attack over a year ago,
http://microcontroller.com/news/LinkedIn_Passwords_Hacked.asp
now they find ways to make themselves more vulnerable?
BTW, you have to admire LinkedIn's press release technology, using words like "hardened", "tiger team", and 'worked closely". Don't you feel yourself involuntarily giving your trust to LinkedIn? And Zukerberg wants to talk to you, too.
It seems a terrible idea. I read the justification on their blog yesterday and it just doesn't wash. It was only last year that their security was breached (http://news.cnet.com/8301-1009_3-57448079-83/millions-of-linkedin-passwords-reportedly-leaked-online/), and here they are trying to convince us that allowing them to route confidential business emails is a good idea? No system is 100% secure, and given their track record and the minimal fairly cosmetic functionality Intro offers, the risk just doesn't seem worth it.
Far be it from me to defend linkedin but would you like to explain what "Confidental Business" emails are doing in your iphone email app in the first place? Where I work thats a disciplinary offence in itself.
I doubt this app impacts Good or any other segregated BYOD email app.
The linkedin app itself isnt the most useful in itself and I wouldnt touch it with a bargepole but I can see recruiters using it until they realise no-one else is.
Fair point. I don't actually use my iPhone for work accounts at all (it's *my* phone, I don't want work emails out of work hours thank you very much). But I have plenty of other projects I'm involved in outside of work that have varying levels of confidentiality - let alone personal stuff I'd rather not be parsed by a 3rd party. Pretty sure some folks at Day Job connect to our Exchange servers via iOS devices though.
"LinkedIn is the process of defending itself against a lawsuit alleging it hacks into members' email accounts before uploading their address books and spamming their contacts. The social business network is contesting this class-action lawsuit, which it argues is without merit. ®" (link of the story is actually http://www.theregister.co.uk/2013/09/24/linkedin_spam_lawsuit_rebuttal/).
I should really read El Reg more often. This appalling story of massive spam of my then 2000 Gmail contacts happened to me. I never noticed before some of them replied, asking what it meant, since few only can read english. What a bloody shame.
Shame also I don't live in the US, where I could join this class-action lawsuit ...
Is that the privacy mandarins in the EU haven't latched onto the litigation, as it's a privacy issue (The UK ones don't want to know. I asked them already)
Linkedin in have been dubbed "the creepiest social network" for a very good reason
https://www.google.co.uk/search?q=the+creepiest+social+network
http://www.interactually.com/linkedin-creepiest-social-network/
And that's without even going into the issue of their unceasing "invite" emails which can only be stopped by creating a LinkedIn account.
"When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible."
That makes me feel so much better. But obviously I won't be letting you tamper with my emails any time soon, thank you very much.
Leaving aside for a moment why anyone would want a third party to go through their e-mail, personal or otherwise, this still introduces an certain (and I would argue unacceptable) amount of risk to any communication sent through this service process. Simply put, it adds one more possible point of failure. It would seem difficult to assess the risk involved with this as, even if their independent review signed off on it, it is so much easier to attack than to defend against an attack. Also, people who use this might be considered high value targets. They are a self-selecting group that is open to spam, not to technically adept, make good money, and will provide the contact details of many just like themselves.
As far as the security of the process, I would expect at least copycat apps to imitating the genuine LinkedIn experience, with (slightly) less friendly results.
This is a v.1 service that is asking users to trust with all of their correspondence from which they get little, if any, benefit. What's not to like?
Having been a member of LinkedIn for years and a moderator of a busyish forum, I'm rapidly coming to the conclusion that it's just not worth a carrot. It is infested with spammers and self-publicists and recruitment agencies trying to slurp your contacts.
The forums are pointless, mainly as it's related to your "real" persona, so one has to be really careful with everything said on pain of career repercussions later. Unlike here where one can say anything:-)
To be honest, I'm really wondering what would happen if I said sod it and killed the account. Sod all I should imagine.
Why on earth do they need the full content of the e-mail to pull down someones Linkedin profile? Surely all they need is the header From line, and maybe the To and CC lines if they're pulling down the profile for everyone on the e-mail?
If the complete e-mails pass through the Linkedin servers, then to me, the entire system is designed backwards. The client should pull down the mail to the phone and then make a request to Linkedin to see if any of the header From/To/CC addresses are recognised. End of story.
Clients like iOS Mail don't allow you to plugin that kind of functionality - they'll only display messages exactly as retrieved from an IMAP server. Therefore LinkedIn has to divert your Mail client to retrieve the entire (altered) message from their own mail servers.
It's still a terrible idea though.
Mountain View, CA, United States of America
LinkedIn Corporation, Headquarters
And so vulnerable to secret court orders from the secret court forcing them to grab all emails using their app, regardless of what they might say or currently intend.
But they are independently audited right?
iSEC Partners - San Francisco
Suite 1020
123 Mission Street
San Francisco
CA 94105
Tel: +1 (0) 415 268-9300
Oh well.
Calling this a Man In The Middle *Attack* is pretty sensationalist, since a) It's not malicious and b) The user requested the mail go through the "man in the middle", rather than "the man in the middle" being there surreptitiously.
That said, I probably wouldn't go for this. But if I was into LinkedIn... *shrug*.
There's nothing to defend. The LinkedIn team is a copycat group whose only saving grace is that they were smart enough to market their social network to the right target. As for the rest, they're just as capable of terrible ideas as anyone else and they're not very good at having bright ideas, are they ?
I was forced into LinkedIn by a previous job, and since I have one or two contacts in there that I actually appreciate, I find myself stuck on it because I don't know how to close my account without sending the wrong message to those people. Maybe I shouldn't worry about it though.
In any case, I'm not too bothered. I only go on LinkedIn when someone I know mails me. My profile is about as empty as it can be, and as locked down as I can make it. As soon as they make another major blunder (countdown in 3..), I'll shut down my profile anyway. I'm sure people will understand.
In any case, their can shove their sodding phone app. I'm not installing any crap of that kind.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
