Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Social Networks Communications Privacy Your Rights Online

LinkedIn's New Mobile App Called 'a Dream For Attackers' 122

Posted by timothy from the throw-off-your-chains dept.
An anonymous reader writes with a link to the New York Times' summary of a security and privacy disaster that's been inspiring angry posts on various social networks, including LinkedIn itself: "Security researchers are calling LinkedIn's new mobile app, Intro, a dream come true for hackers or intelligence agencies... Intro redirects e-mail traffic to and from users' iPhones and iPads through LinkedIn's servers, then analyzes and scrapes those e-mails for relevant data and adds pertinent LinkedIn details... Researchers liken that redirection to a so-called man-in-the-middle attack in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it."
This discussion has been archived. No new comments can be posted.

LinkedIn's New Mobile App Called 'a Dream For Attackers' More

LinkedIn's New Mobile App Called 'a Dream For Attackers'

Comments Filter:

  • Re:Why is anyone surprised? (Score:5, Informative)

    by fuzzyfuzzyfungus ( 1223518 ) on Friday October 25, 2013 @08:17PM (#45241595) Journal
    I'm not surprised ('social networks' in general make you the product, linkedin has always been a touch sleazy, especially for an ostensibly 'professional' site that could theoretically be making its money on the semi up-and-up by offering useful recruiting services); but I am fucking shocked at just what a clusterfuck this particular app is.

    So, you install the 'app'. It applies an iOS configuration profile to your phone. those can do rather a lot [apple.com]... In this case (so far) what it does is set up an MiTM that routes all your email through their servers, and dynamically rewrites it to add content of their choice to messages.

    It's totally normal for 'social networks' to own you like livestock in everything you do on that network; but reaching out and grabbing all 3rd party email (Oh, man, are some corporate IT/Security people going to be spitting napalm about this one...) that passes through your handset, and including that? Ballsy. Really, really, ballsy. Makes the old "Hey, let's grab their entire contact list!" sleaze-scheme look like amateur hour.

  • Re:Umm... (Score:5, Informative)

    by immaterial ( 1520413 ) on Friday October 25, 2013 @08:22PM (#45241627)
    You have to allow their app to install a configuration profile that sets up iOS's Mail app to get your email through LinkedIn's proxy server; then LinkedIn can read your email and inject relevant code directly into the message before it hits the mail client: http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios [linkedin.com] *barf*

  • Re:Why is anyone surprised? (Score:5, Informative)

    by immaterial ( 1520413 ) on Friday October 25, 2013 @08:26PM (#45241665)
    Informative summary; in case anyone cares LinkedIn's official explanation is here: http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios [linkedin.com]

  • Re:Umm... (Score:5, Informative)

    by icebike ( 68054 ) on Friday October 25, 2013 @08:56PM (#45241827)

    It is possible. Read what they say on their own web page [linkedin.com]:

    Once we got the IMAP proxy working, we were faced with another problem: how do we configure a device to use the proxy? We cannot expect users to manually enter IMAP and SMTP hostnames, choose the correct TLS settings, etc — it’s too tedious and error-prone.
    Fortunately, Apple provides a friendly way of setting up email accounts by using configuration profiles — a facility that is often used in enterprise deployments of iOS devices. Using this technique, we can simply ask the user for their email address and password, autodiscover the email provider settings, and send a configuration profile to the device. The user just needs to tap “ok” a few times, and then they have a new mail account.

    The users have no idea why they are clicking OK, but once its done it works so they ask no questions.
    After all, they are Linkedin users, so they automatically aren't too bright.

  • Re:Why is anyone surprised? (Score:5, Informative)

    by fuzzyfuzzyfungus ( 1223518 ) on Friday October 25, 2013 @09:17PM (#45241951) Journal
    "All communication from the Mail app to the LinkedIn Intro servers is fully encrypted. Likewise, all communication from the LinkedIn Intro servers to your email provider (e.g. Gmail or Yahoo! Mail) is fully encrypted."

    And all (transient) storage of the data being communicated while they are on the LinkedIn servers?

    Hmm... Didn't think so.

    Also worth noting: In their 'Pledge of Privacy' [linkedin.com](which may change from time to time, to 'clarify' things) they have an adorable little elision...

    "Do you read my email?

    In order to provide the Intro service, the servers use software to extract information from each message: for example, the sender's email address is extracted, so that the servers can search for their LinkedIn profile to include in the message."

    Well, ok, the system obviously wouldn't work if it didn't parse the email, right?

    "Do you store my email or my password?

    During usage, the servers may temporarily cache your emails in order to make emails download faster. When your device starts to download a mail folder, such as your inbox, the servers will pre-emptively download and cache recent messages in that folder. A few seconds later, when your device downloads the individual messages, the servers will provide the cached messages. Your messages are only cached until your device downloads them, and never for more than 1 hour. Typically, your messages are cached for no more than a few minutes."

    Well, ok, fast downloads are good, and temporary cache is temporary, so you totally aren't building a giant dossier of all my email, whew.

    Now... " the servers use software to extract information from each message". Hmm... it doesn't say a thing about the storage, use, retention, or anything else of that 'extracted information'. Nor (aside from giving the one example that is architecturally necessary, and thus trivial), does it provide any detail about what information is extracted. So, in fact, the only thing I know is that they say that a literal copy of my email is not being stored (Maybe they only store my metadata, like the NSA?) Maybe they store any substrings that match a set of keywords? Who knows? Not you or me.

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Friday October 25, 2013 @10:13PM (#45242209)
    Comment removed based on user account deletion

  • Re:How is this different from Gmail? (Score:4, Informative)

    by icebike ( 68054 ) on Friday October 25, 2013 @10:15PM (#45242221)

    Google advertises to ME. They don't grab my contacts and send email to them.

    Further, if you use a non-web client to read your gmail, you never even see the
    ads that they target toward you.

    I chose Gmail as my mail handler, knowing full well the rules of the game.
    People who use Linkedin had no understanding that they were appointing them as their mail handler.

Slashdot Top Deals

"Floggings will continue until morale improves." -- anonymous flyer being distributed at Exxon USA

Close