LinkedIn's New Mobile App Called 'a Dream For Attackers' 122
An anonymous reader writes with a link to the New York Times' summary of a security and privacy disaster that's been inspiring angry posts on various social networks, including LinkedIn itself: "Security researchers are calling LinkedIn's new mobile app, Intro, a dream come true for hackers or intelligence agencies... Intro redirects e-mail traffic to and from users' iPhones and iPads through LinkedIn's servers, then analyzes and scrapes those e-mails for relevant data and adds pertinent LinkedIn details... Researchers liken that redirection to a so-called man-in-the-middle attack in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it."
Why is anyone surprised? (Score:5, Insightful)
It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.
They are going to keep getting more invasive as they figure out new ways to screw you over for a profit.
Re:Who cares. (Score:2, Insightful)
No even occasional sex with your manager ?
Re:Why is anyone surprised? (Score:5, Insightful)
Pretty smug and self congratulatory.
Everyone make sure you put Martin Kleppmann on your DO NOT HIRE list.
I hope Apple steps up and kicks them out of the App Store.
Re:Why is anyone surprised? (Score:5, Insightful)
That's what really gets me: If this were random geek giving a little chat about 'stupid IMAP regex tricks; the closest thing to greasemonkey for iOS mail!' and showing off an architecturally similar system for on-the-fly-rewrites of mail to add useful hooks to present features absent in the client, it'd be clever and endearing. But that isn't the game we are playing here. This is a slick, weaponized, weasel-worded-for-wide-deployment dangerous toy we are talking about here.
Either he knows that, and just doesn't give a fuck (in which case he is somewhere beneath contempt and heading further down), or he's dangerously myopic to an almost unbelievable degree.
How is this different from Gmail? (Score:4, Insightful)
Time for Apple to Step Up (Score:5, Insightful)
I'm calling on Apple to kick 3rd party applications out of the ability to make a configuration like this. This appears to be a significant security threat to the iOS platform and should be treated as such. Applications should not be able to do this on their own and as we have seen with LinkedIn, it can lead to no good.
For those sysadmins who would like to block this from occurring within their network or on their devices this was taken from Reddit. See the IMAP and SMTP configuration below and block it at the firewall.
IMAP: imap.intro.linkedin.com .... OutgoingMailServerHostName smtp.intro.linkedin.com OutgoingMailServerPortNumber 587
SMTP: smtp.intro.linkedin.com
From the Apple configuration profile:
IncomingMailServerHostName imap.intro.linkedin.com IncomingMailServerPortNumber 143
Re:Why is anyone surprised? (Score:5, Insightful)
Nice link. Fascinating how they cream themselves for 2,000 words on the technical challenges they overcame to break into a system not meant for that, but only 3 short sentences that privacy is fine, they're serious, see this link. (At least until uproar made them add the italicized part at the end.) Very telling.