Feeds

Email-sniffing Linkedin Intro NOT security threat, insists biz network

But it can WIPE your MOBE, shrieks infosec company

Security for virtualized datacentres

LinkedIn, the social network for suits, has come out in defence of its LinkedIn Intro app after security researchers panned it for making users' emails vulnerable to hackers.

LinkedIn Intro is an iOS application that allows iPhone or fondleslab users to route their email through so that they receive background information on an email sender or receiver.

However, security critics have described the product - a proxy service that processes emails sent through iPhones in order to inject LinkedIn information into your communiqués - as a security risk of dubious utility. Several described it as a man in the middle attack.

LinkedIn described these and other criticisms as based on a flawed perception of its latest offering. The product has been through both internal and external reviews to verify its benign nature prior to its launch last week, Cory Scott, a senior manager for information security LinkedIn, argues in a blog post.

When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios.

As well as a third-party code review of the credential handling and mail parsing/insertion code by security consultancy iSEC Partners, LinkedIn also hardened external and internal-facing services as well as taking steps to reduce "exposure to third-party monitoring services and tracking". A “Tiger Team” of experienced internal testers "worked closely with the Intro team to make sure identified vulnerabilities were addressed," LinkedIn adds.

LinkedIn also says that it has put monitoring in place to "detect any potential attacks, react quickly, and immediately minimize exposure". The social network is also trying to assuage privacy and eavesdropping concerns.

All communications use SSL/TLS at each point of the email flow between the device, LinkedIn Intro, and the third-party mail system. When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is deleted from our systems.

LinkedIn adds that security firm Bishop Fox was all wrong in suggesting that its service changes an iPhone's security profile.

"Intro works by pushing a security profile to your device," said the firm's blog. "But, these security profiles can do much, much more than just redirect your emails to different servers. A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things."

Taken in isolation, you'd assume that LinkedIn was responding to a small group of naysayers but the criticism is far more widespread than that. The company's response, though indubitably sincere, ignores the central critique that LinkedIn Intro is essentially a bit useless as well as featuring a “man in the middle” architecture that turns the stomach of security pros.

“Having all your email scanned by LinkedIn automation to inject the contact profile banners is a marginal convenience feature at best,” said Gene Meltser, technical director at Neohapsis Labs.

“I can’t think of a situation where a user would agree to a reduced level of transport security of their emails in exchange of the novelty of being able to instantly view their LinkedIn contact’s details in the iPhone email client.”

LinkedIn is the process of defending itself against a lawsuit alleging it hacks into members' email accounts before uploading their address books and spamming their contacts. The social business network is contesting this class-action lawsuit, which it argues is without merit. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.