Feeds

Email-sniffing Linkedin Intro NOT security threat, insists biz network

But it can WIPE your MOBE, shrieks infosec company

SANS - Survey on application security programs

LinkedIn, the social network for suits, has come out in defence of its LinkedIn Intro app after security researchers panned it for making users' emails vulnerable to hackers.

LinkedIn Intro is an iOS application that allows iPhone or fondleslab users to route their email through so that they receive background information on an email sender or receiver.

However, security critics have described the product - a proxy service that processes emails sent through iPhones in order to inject LinkedIn information into your communiqués - as a security risk of dubious utility. Several described it as a man in the middle attack.

LinkedIn described these and other criticisms as based on a flawed perception of its latest offering. The product has been through both internal and external reviews to verify its benign nature prior to its launch last week, Cory Scott, a senior manager for information security LinkedIn, argues in a blog post.

When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios.

As well as a third-party code review of the credential handling and mail parsing/insertion code by security consultancy iSEC Partners, LinkedIn also hardened external and internal-facing services as well as taking steps to reduce "exposure to third-party monitoring services and tracking". A “Tiger Team” of experienced internal testers "worked closely with the Intro team to make sure identified vulnerabilities were addressed," LinkedIn adds.

LinkedIn also says that it has put monitoring in place to "detect any potential attacks, react quickly, and immediately minimize exposure". The social network is also trying to assuage privacy and eavesdropping concerns.

All communications use SSL/TLS at each point of the email flow between the device, LinkedIn Intro, and the third-party mail system. When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is deleted from our systems.

LinkedIn adds that security firm Bishop Fox was all wrong in suggesting that its service changes an iPhone's security profile.

"Intro works by pushing a security profile to your device," said the firm's blog. "But, these security profiles can do much, much more than just redirect your emails to different servers. A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things."

Taken in isolation, you'd assume that LinkedIn was responding to a small group of naysayers but the criticism is far more widespread than that. The company's response, though indubitably sincere, ignores the central critique that LinkedIn Intro is essentially a bit useless as well as featuring a “man in the middle” architecture that turns the stomach of security pros.

“Having all your email scanned by LinkedIn automation to inject the contact profile banners is a marginal convenience feature at best,” said Gene Meltser, technical director at Neohapsis Labs.

“I can’t think of a situation where a user would agree to a reduced level of transport security of their emails in exchange of the novelty of being able to instantly view their LinkedIn contact’s details in the iPhone email client.”

LinkedIn is the process of defending itself against a lawsuit alleging it hacks into members' email accounts before uploading their address books and spamming their contacts. The social business network is contesting this class-action lawsuit, which it argues is without merit. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.