Feeds

Email-sniffing Linkedin Intro NOT security threat, insists biz network

But it can WIPE your MOBE, shrieks infosec company

Next gen security for virtualised datacentres

LinkedIn, the social network for suits, has come out in defence of its LinkedIn Intro app after security researchers panned it for making users' emails vulnerable to hackers.

LinkedIn Intro is an iOS application that allows iPhone or fondleslab users to route their email through so that they receive background information on an email sender or receiver.

However, security critics have described the product - a proxy service that processes emails sent through iPhones in order to inject LinkedIn information into your communiqués - as a security risk of dubious utility. Several described it as a man in the middle attack.

LinkedIn described these and other criticisms as based on a flawed perception of its latest offering. The product has been through both internal and external reviews to verify its benign nature prior to its launch last week, Cory Scott, a senior manager for information security LinkedIn, argues in a blog post.

When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios.

As well as a third-party code review of the credential handling and mail parsing/insertion code by security consultancy iSEC Partners, LinkedIn also hardened external and internal-facing services as well as taking steps to reduce "exposure to third-party monitoring services and tracking". A “Tiger Team” of experienced internal testers "worked closely with the Intro team to make sure identified vulnerabilities were addressed," LinkedIn adds.

LinkedIn also says that it has put monitoring in place to "detect any potential attacks, react quickly, and immediately minimize exposure". The social network is also trying to assuage privacy and eavesdropping concerns.

All communications use SSL/TLS at each point of the email flow between the device, LinkedIn Intro, and the third-party mail system. When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is deleted from our systems.

LinkedIn adds that security firm Bishop Fox was all wrong in suggesting that its service changes an iPhone's security profile.

"Intro works by pushing a security profile to your device," said the firm's blog. "But, these security profiles can do much, much more than just redirect your emails to different servers. A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things."

Taken in isolation, you'd assume that LinkedIn was responding to a small group of naysayers but the criticism is far more widespread than that. The company's response, though indubitably sincere, ignores the central critique that LinkedIn Intro is essentially a bit useless as well as featuring a “man in the middle” architecture that turns the stomach of security pros.

“Having all your email scanned by LinkedIn automation to inject the contact profile banners is a marginal convenience feature at best,” said Gene Meltser, technical director at Neohapsis Labs.

“I can’t think of a situation where a user would agree to a reduced level of transport security of their emails in exchange of the novelty of being able to instantly view their LinkedIn contact’s details in the iPhone email client.”

LinkedIn is the process of defending itself against a lawsuit alleging it hacks into members' email accounts before uploading their address books and spamming their contacts. The social business network is contesting this class-action lawsuit, which it argues is without merit. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.