Feeds

Email-sniffing Linkedin Intro NOT security threat, insists biz network

But it can WIPE your MOBE, shrieks infosec company

Top 5 reasons to deploy VMware with Tegile

LinkedIn, the social network for suits, has come out in defence of its LinkedIn Intro app after security researchers panned it for making users' emails vulnerable to hackers.

LinkedIn Intro is an iOS application that allows iPhone or fondleslab users to route their email through so that they receive background information on an email sender or receiver.

However, security critics have described the product - a proxy service that processes emails sent through iPhones in order to inject LinkedIn information into your communiqués - as a security risk of dubious utility. Several described it as a man in the middle attack.

LinkedIn described these and other criticisms as based on a flawed perception of its latest offering. The product has been through both internal and external reviews to verify its benign nature prior to its launch last week, Cory Scott, a senior manager for information security LinkedIn, argues in a blog post.

When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios.

As well as a third-party code review of the credential handling and mail parsing/insertion code by security consultancy iSEC Partners, LinkedIn also hardened external and internal-facing services as well as taking steps to reduce "exposure to third-party monitoring services and tracking". A “Tiger Team” of experienced internal testers "worked closely with the Intro team to make sure identified vulnerabilities were addressed," LinkedIn adds.

LinkedIn also says that it has put monitoring in place to "detect any potential attacks, react quickly, and immediately minimize exposure". The social network is also trying to assuage privacy and eavesdropping concerns.

All communications use SSL/TLS at each point of the email flow between the device, LinkedIn Intro, and the third-party mail system. When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is deleted from our systems.

LinkedIn adds that security firm Bishop Fox was all wrong in suggesting that its service changes an iPhone's security profile.

"Intro works by pushing a security profile to your device," said the firm's blog. "But, these security profiles can do much, much more than just redirect your emails to different servers. A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things."

Taken in isolation, you'd assume that LinkedIn was responding to a small group of naysayers but the criticism is far more widespread than that. The company's response, though indubitably sincere, ignores the central critique that LinkedIn Intro is essentially a bit useless as well as featuring a “man in the middle” architecture that turns the stomach of security pros.

“Having all your email scanned by LinkedIn automation to inject the contact profile banners is a marginal convenience feature at best,” said Gene Meltser, technical director at Neohapsis Labs.

“I can’t think of a situation where a user would agree to a reduced level of transport security of their emails in exchange of the novelty of being able to instantly view their LinkedIn contact’s details in the iPhone email client.”

LinkedIn is the process of defending itself against a lawsuit alleging it hacks into members' email accounts before uploading their address books and spamming their contacts. The social business network is contesting this class-action lawsuit, which it argues is without merit. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.