Skip to content

Instantly share code, notes, and snippets.

  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save sjtipton/7642438 to your computer and use it in GitHub Desktop.

LinkedIn's Intro - an Intro to Insecurity Heaven for Attackers?

Continuing on the discussion from this week in regards to email security, I think it would be a good opportunity to discuss the objectives behind LinkedIn's new email service, Intro. The service has raised an eyebrow of many in the technological blogosphere in the past month. Richard Bejtlich, chief research officer at Mandiant, cannot come to a logical realization that "someone thought this was a good idea." (Perlroth, 2013) Describing his reaction as "flabbergasted," Perlroth reveals what security researchers are warning as "a dream come true for hackers or intelligence agencies" in regards to the professional network's new mobile app.

So what is Intro? Perlroth describes in the New York Times Technology article that this new mobile app is "an e-mail plug-in for iOS users that pulls LinkedIn profile information into e-mails so that the sender’s job title appears front-and-center in e-mails on a user’s iPhone or iPad." While some describe this as a "smart play," an innovative way for LinkedIn to leverage the objective of social media for professionals, rather than appear as a "static Web site they go to every couple of years to update their employment status," (Perlroth) this is not the viewpoint of everyone. Cryptographer Bruce Schneier warns, "Don’t make the mistake of thinking you’re [the] customer, you’re not – you’re the product." (Fox, 2013) What LinkedIn refers to as "doing the impossible," however, some users refer to as "hijacking email."

"Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers. You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like." (Fox) Attorney Marcia Hofman states, "If you let a third party have access to your privileged email, you could be waiving important legal protections." (Fox)

Techcrunch has outlined a very interesting blog (http://techcrunch.com/2013/10/23/linkedin-intro-mail/) on the details of Intro's objective, including some fantastic visual examples of email with and without the controversial add-on. Based on the idea of Rapportive, acquired by LinkedIn in February 2012, Intro inserts a panel of social information into the email to enhance the knowledge of the communicators. (Constine, 2013) LinkedIn's Jeff Weiner describes this mashup of services as an opportunity to "beef up its mobile experience." (Constine) With Intro, writes Constine, users will "instantly see a photo, job title, and company in a tiny Intro panel inserted into your emails. Clicking it reveals a person’s full LinkedIn bio including mutual connections, previous jobs, college, current city, links to web presences like their blog, and a LinkedIn button to connect with them on the professional network." Seems legit.

Cleverly, there is no partnership with Apple involved. Rather, Constine writes, Intro uses the publicly available API for “Configuration Profiles”. As a consumer, you provide the mobile app your email address and password, Intro sets up the Configuration Profile, and the content appears in iOS Mail. Don't like it? You can simply disable it within your device's settings or in the Intro app that appears on your home screen.

Intro sounds like an innovative way to enhance communication with peers; especially with prospective clients or employers, notes TechCrunch. However, it clearly comes with controversy. LinkedIn, however, provides a Pledge of Privacy (https://intro.linkedin.com/micro/privacy) that aims to comfort those who may be a bit on the sketchy side of the new mobile app. It describes an application that integrates with a user's email "carries great responsibility." Rather than a mundane privacy policy, LinkedIn promises they will always respect user privacy with their Pledge of Privacy.

LinkedIn describes this new app as an assistive way to allow you to "be brilliant with people." Perhaps it is. But not without controversy.

References

Constine, J. (2013) LinkedIn Launches Intro That Embeds Rapportive Info Into The iOS Mail App, Plus An iPad Redesign. TechCrunch. Retrieved from http://techcrunch.com/2013/10/23/linkedin-intro-mail/

Fox, B. (2013) LinkedIn ‘Intro’duces Insecurity. Retrieved from http://www.bishopfox.com/blog/2013/10/linkedin-intro/

Perlroth, N. (October 24, 2013) LinkedIn’s New Mobile App Called ‘a Dream for Attackers’. The New York Times. Retrieved from http://bits.blogs.nytimes.com/2013/10/24/linkedins-new-mobile-app-called-a-dream-for-attackers/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment