Email-sniffing Linkedin Intro NOT security threat, insists biz network
But it can WIPE your MOBE, shrieks infosec company
LinkedIn, the social network for suits, has come out in defence of its LinkedIn Intro app after security researchers panned it for making users' emails vulnerable to hackers.
LinkedIn Intro is an iOS application that allows iPhone or fondleslab users to route their email through so that they receive background information on an email sender or receiver.
However, security critics have described the product - a proxy service that processes emails sent through iPhones in order to inject LinkedIn information into your communiqués - as a security risk of dubious utility. Several described it as a man in the middle attack.
LinkedIn described these and other criticisms as based on a flawed perception of its latest offering. The product has been through both internal and external reviews to verify its benign nature prior to its launch last week, Cory Scott, a senior manager for information security LinkedIn, argues in a blog post.
When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios.
As well as a third-party code review of the credential handling and mail parsing/insertion code by security consultancy iSEC Partners, LinkedIn also hardened external and internal-facing services as well as taking steps to reduce "exposure to third-party monitoring services and tracking". A “Tiger Team” of experienced internal testers "worked closely with the Intro team to make sure identified vulnerabilities were addressed," LinkedIn adds.
LinkedIn also says that it has put monitoring in place to "detect any potential attacks, react quickly, and immediately minimize exposure". The social network is also trying to assuage privacy and eavesdropping concerns.
All communications use SSL/TLS at each point of the email flow between the device, LinkedIn Intro, and the third-party mail system. When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is deleted from our systems.
LinkedIn adds that security firm Bishop Fox was all wrong in suggesting that its service changes an iPhone's security profile.
"Intro works by pushing a security profile to your device," said the firm's blog. "But, these security profiles can do much, much more than just redirect your emails to different servers. A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things."
Taken in isolation, you'd assume that LinkedIn was responding to a small group of naysayers but the criticism is far more widespread than that. The company's response, though indubitably sincere, ignores the central critique that LinkedIn Intro is essentially a bit useless as well as featuring a “man in the middle” architecture that turns the stomach of security pros.
“Having all your email scanned by LinkedIn automation to inject the contact profile banners is a marginal convenience feature at best,” said Gene Meltser, technical director at Neohapsis Labs.
“I can’t think of a situation where a user would agree to a reduced level of transport security of their emails in exchange of the novelty of being able to instantly view their LinkedIn contact’s details in the iPhone email client.”
LinkedIn is the process of defending itself against a lawsuit alleging it hacks into members' email accounts before uploading their address books and spamming their contacts. The
social business network is contesting this class-action lawsuit, which it argues is without merit. ®