Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Social Networks Communications Privacy Your Rights Online

LinkedIn's New Mobile App Called 'a Dream For Attackers' 122

An anonymous reader writes with a link to the New York Times' summary of a security and privacy disaster that's been inspiring angry posts on various social networks, including LinkedIn itself: "Security researchers are calling LinkedIn's new mobile app, Intro, a dream come true for hackers or intelligence agencies... Intro redirects e-mail traffic to and from users' iPhones and iPads through LinkedIn's servers, then analyzes and scrapes those e-mails for relevant data and adds pertinent LinkedIn details... Researchers liken that redirection to a so-called man-in-the-middle attack in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it."
This discussion has been archived. No new comments can be posted.

LinkedIn's New Mobile App Called 'a Dream For Attackers'

Comments Filter:
  • Who cares. (Score:5, Funny)

    by kurt555gs ( 309278 ) <kurt555gs@ov i . c om> on Friday October 25, 2013 @08:05PM (#45241499) Homepage

    I have had a Linkedin account forever. I never even go there any more. I've never met any women on Linkedin, so I find it totally useless.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      No even occasional sex with your manager ?

    • by Anonymous Coward

      I don't use it. I keep it just in case I need to find another job. That is pretty much all.

    • by antdude ( 79039 )

      So, the women I see are not real on there? :P

  • by Anonymous Coward on Friday October 25, 2013 @08:08PM (#45241527)

    It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.

    They are going to keep getting more invasive as they figure out new ways to screw you over for a profit.

    • by fuzzyfuzzyfungus ( 1223518 ) on Friday October 25, 2013 @08:17PM (#45241595) Journal
      I'm not surprised ('social networks' in general make you the product, linkedin has always been a touch sleazy, especially for an ostensibly 'professional' site that could theoretically be making its money on the semi up-and-up by offering useful recruiting services); but I am fucking shocked at just what a clusterfuck this particular app is.

      So, you install the 'app'. It applies an iOS configuration profile to your phone. those can do rather a lot [apple.com]... In this case (so far) what it does is set up an MiTM that routes all your email through their servers, and dynamically rewrites it to add content of their choice to messages.

      It's totally normal for 'social networks' to own you like livestock in everything you do on that network; but reaching out and grabbing all 3rd party email (Oh, man, are some corporate IT/Security people going to be spitting napalm about this one...) that passes through your handset, and including that? Ballsy. Really, really, ballsy. Makes the old "Hey, let's grab their entire contact list!" sleaze-scheme look like amateur hour.
      • by immaterial ( 1520413 ) on Friday October 25, 2013 @08:26PM (#45241665)
        Informative summary; in case anyone cares LinkedIn's official explanation is here: http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios [linkedin.com]
        • by icebike ( 68054 ) on Friday October 25, 2013 @08:49PM (#45241781)

          Pretty smug and self congratulatory.
          Everyone make sure you put Martin Kleppmann on your DO NOT HIRE list.

          I hope Apple steps up and kicks them out of the App Store.

          • by fuzzyfuzzyfungus ( 1223518 ) on Friday October 25, 2013 @09:04PM (#45241877) Journal
            It is admittedly a cute hack (presented in a smarmy tone); but the sheer tone-deafness and unwillingness or inability to recognize that you are proposing to subject potentially-hundreds-of-thousands of people's private information to your cute hack is sickening.

            That's what really gets me: If this were random geek giving a little chat about 'stupid IMAP regex tricks; the closest thing to greasemonkey for iOS mail!' and showing off an architecturally similar system for on-the-fly-rewrites of mail to add useful hooks to present features absent in the client, it'd be clever and endearing. But that isn't the game we are playing here. This is a slick, weaponized, weasel-worded-for-wide-deployment dangerous toy we are talking about here.

            Either he knows that, and just doesn't give a fuck (in which case he is somewhere beneath contempt and heading further down), or he's dangerously myopic to an almost unbelievable degree.
            • I think the plaintiff's lawyers are going to like that particular post.

              "It's an ill wind that blows nobody good."

            • by cbybear ( 256161 )

              Bingo! You nailed it exactly. No sense of morals or social obligation. Just does whatever comes to his little mind and thinks he is the most clever thing since the last shitstain to come along and think he know more about tech than everyone else. What he fails to understand is that the people that created all this stuff we use knew how to do all this evil stuff, they just had better guiding values. Heck, they had guiding values period!

        • by fuzzyfuzzyfungus ( 1223518 ) on Friday October 25, 2013 @09:17PM (#45241951) Journal
          "All communication from the Mail app to the LinkedIn Intro servers is fully encrypted. Likewise, all communication from the LinkedIn Intro servers to your email provider (e.g. Gmail or Yahoo! Mail) is fully encrypted."

          And all (transient) storage of the data being communicated while they are on the LinkedIn servers?

          Hmm... Didn't think so.

          Also worth noting: In their 'Pledge of Privacy' [linkedin.com](which may change from time to time, to 'clarify' things) they have an adorable little elision...

          "Do you read my email?

          In order to provide the Intro service, the servers use software to extract information from each message: for example, the sender's email address is extracted, so that the servers can search for their LinkedIn profile to include in the message."

          Well, ok, the system obviously wouldn't work if it didn't parse the email, right?

          "Do you store my email or my password?

          During usage, the servers may temporarily cache your emails in order to make emails download faster. When your device starts to download a mail folder, such as your inbox, the servers will pre-emptively download and cache recent messages in that folder. A few seconds later, when your device downloads the individual messages, the servers will provide the cached messages. Your messages are only cached until your device downloads them, and never for more than 1 hour. Typically, your messages are cached for no more than a few minutes."

          Well, ok, fast downloads are good, and temporary cache is temporary, so you totally aren't building a giant dossier of all my email, whew.

          Now... " the servers use software to extract information from each message". Hmm... it doesn't say a thing about the storage, use, retention, or anything else of that 'extracted information'. Nor (aside from giving the one example that is architecturally necessary, and thus trivial), does it provide any detail about what information is extracted. So, in fact, the only thing I know is that they say that a literal copy of my email is not being stored (Maybe they only store my metadata, like the NSA?) Maybe they store any substrings that match a set of keywords? Who knows? Not you or me.
        • by dcollins ( 135727 ) on Friday October 25, 2013 @10:58PM (#45242427) Homepage

          Nice link. Fascinating how they cream themselves for 2,000 words on the technical challenges they overcame to break into a system not meant for that, but only 3 short sentences that privacy is fine, they're serious, see this link. (At least until uproar made them add the italicized part at the end.) Very telling.

        • Wow. That is an eye-opening list, the things it can modify is rather nasty. Just these alone scream that it should be blacklisted from any corporate environment:
          • * VPN settings
          • * LDAP directory service settings
          • * Credentials and keys

          The absolute last thing I want on a phone with corporate network access is to have those permissions.

          • I do like the one where you can helpfully suggest a new backup URI for the phone to safely store its filevault encryption keys.
          • Really, (to the degree that Apple ever consents to anybody who isn't them having the keys to the kingdom), a device configuration profile is intended to be the keys to the kingdom. It's the closest thing to binding an iPhone to AD that Apple shows any signs of supporting, and should really be treated in a similar way (ie. the fact that binding a computer to an AD domain essentially owns it in every imaginable way, vs. the domain admin, is a feature. However, if your ISP's setup instructions told you "Now, a
            • What honestly does surprise me a bit is that Apple doesn't automatically blacklist/nuke from the app store, and generally unleash hell upon, any outfit that tries to deploy these things as though they were 'apps', to institutionally unaffiliated end users.

              Speaking of this, if you're an institutional end user already on a configuration profile, does this overwrite/replace it?

      • Even their old Android app had ridiculous permissions. LinkedIn is handy if you're looking for work, but web-only.

        • I haven't ever, and don't believe anyone I know has gotten a job via linked in. I deny anyone I don't know personally. I don't install apps that ask for excessive permisions.. amazing how many flashlight apps you have to look through to find one without spyware.
      • I'm not surprised ('social networks' in general make you the product, linkedin has always been a touch sleazy, especially for an ostensibly 'professional' site that could theoretically be making its money on the semi up-and-up by offering useful recruiting services);

        Linkedin has many dubious methods that aren't visible to a typical person. I know some of the methods they employ to extend their grasp. The problem is that there is no way to explain this to people without a CS degree. It just irritates the victim to be a tool so they ignore it.
        To go from ironic to sardonic as well as a self deprecating , we are providing social comments on a site owned by a company that handles employment (DICE). So it is posters on a 'social network' that complain of the use of themsel

        • As much as your point about DICE is well taken, I'd honestly love to know how you would go about 'monetizing' a user who (voluntarily, and for no material reward, no less) impersonates a fungus with internet access in order to whine about surveillance and make bad geek jokes. I have the chilling suspicion that it can be done; but damned if I can imagine how...
      • by dbIII ( 701233 )
        If a lone $2 app guy did that, disclaimers, informing the customer or not, they'd be facing many years of jail time. It's depressing that the law does not seem to apply to these intrusive mongrels that can cause more damage than a cracker.
      • LinkedIn's service seems to be based on Rapportive, which has been around for a while. On desktops, they can just hook into web mail services and mail readers through extensions; no rerouting required. Of course, the information still ends up on their servers, but that's kind of the point: how could they give you information related to your mail messages if they couldn't look at it?

        On mobile, the hooks for this are missing. Furthermore, iOS is rather insistent on the precious specialness of Apple's own appl

      • What's strange to me is that Apple even allows configuration profiles to be distributed and installed by non-enterprise, third-party apps. This seems like a giant security hole. If I was Apple I'd be pulling this app from the store posthaste and closing that attack vector.

    • It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.

      It amazes me even more that people think they need a LinkedIn app on their phone. Seriously. WTF.

      If you think you need this app on your phone you get what you deserve.

    • Agreed.
    • It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.

      People don't realise this because it isn't true. What you describe is a relationship in which only the social network provider gains, but this isn't what people experience: people do get utility out of the functions the networking sites provide.

      You can certainly argue that the relationship is skewed, or that the price users are paying for t

  • by Anonymous Coward

    Now I feel a little less cowardly for having virtually no voluntary apps loaded on my android gadgets because of all the permissions required and no convenient way to limit access to my data.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Let me give you some friendly advice.

      1) Root it
      2) Install AFwall
      3) Configure AFwall to block most traffic

    • by icebike ( 68054 )

      The trick they used only works on IOS.

      (Not that I'm denying there could be an equivalent trick on Android).

    • by HJED ( 1304957 )
      I don't use it because I like some of the google apps, but I believe cyanmod allows you to control app permissions.
      • You can use the Google apps in cyanogenmod.

        • by HJED ( 1304957 )
          Some features are disabled on rooted phones (including cyanogenmod) I think its mainly the DRM on their music store means they won't let you buy on rooted phones. It is entirely possible they will disable other features future and I don't really see the need for me to change.
          • I have no problem buying music (or anything) on a rooted Android. Not only that, people specifically root their phones to access other countries' Play stores. I'm not sure where you got that idea from.
          • Some features are disabled on rooted phones (including cyanogenmod) I think its mainly the DRM on their music store means they won't let you buy on rooted phones. It is entirely possible they will disable other features future and I don't really see the need for me to change.

            They have disable nothing as far as I can tell. I can buy music, books and apps. The only thing even remotely like you suggest is that Google Wallets pops up a banner tell me that my device is "unsupported". Wallet still works perfectly though

          • by HJED ( 1304957 )
            Ok, it appears I'm incorrect. I swear I read something along those lines.
  • by Anonymous Coward on Friday October 25, 2013 @08:52PM (#45241805)

    The only thing I'm not surprised about is that this company hasn't been sued or hacked into the oblivion.

    I have a private email address. Only friends and family know about it. I don't use it to sign up for anything on the internet, I have other addresses for that. This particular address is the one I give out to people who might need to pull down a direct line of communication to me, wherever I am on the planet, assuming I have cellular and data connectivity. I also know precisely who has this address, and they are well aware that they're not to give it out to other people without my consent.

    One day I started getting spam from these LinkedIn assholes. The kind of spam that never stops, and just keeps badgering you to reply to it or click some stupid fucking button. If you want to "unsubscribe" from their awesome service, you have to go to a fucking website and enter in your email address. What the hell?

    Anyways, the person who's account started badgering me to confirm I know them... Never actually gave my email address to LinkedIn. He knew how much I despise modern day social networking and I trust him when he says he would never sign me up for something without my prior permission (why he would ever have a reason to sign me up for anything was beyond the both of us). Yet, there I was- getting spam from LinkedIn irregardless, with no way to stop it except to go to their idiot website and enter in my friggin' email address.

    The only conclusion that we could come to was that they leeched it from his phone or laptop *somehow*, because those were the only two places where my super private email address were being held. We later found out that a lot of other people on those address books started getting LinkedIn spam as well, so somehow, LinkedIn basically dumped his entire address book without his permission and started spamming everyone on it.

    As far as I'm concerned, LinkedIn can fuck off and go rot in hell. I told myself the next time they spammed me I'd start mailing C&D letters, because I'm sick and tired of having to unsubscribe from their bullshit pestering service every 3 months that I clearly did not sign up for (and if their EULA somehow makes it OK for them to spam me because my friend clicked OK, well, I'd be more then happy to take these fuckers to court over that).

    • Maybe is that wonderful feature that asks for your email and password to check if your contacts already have a linkedin account so they will connect them for you.
      My email and password? Are you kidding?

    • Your friend is to dumb to not enter his email address/password into random websites... don't be surprised if this isn't the last of the spam.
    • by tapi0 ( 2805569 )

      "so somehow, LinkedIn basically dumped his entire address book without his permission and started spamming everyone on it."

      When signing up, and at random periods, linkedin asks you if you would like to have it trawl through your address book and automatically add people. It then prompts you to input your email address and password for the mail service.
      This is the same service that was on Slashdot recently as somebody was launching a class action suit for hacking their accounts.
      It's pretty clear what the

  • I find it ridiculous when I read blog posts on the net that claims that you have to have a linkedin account to get a job in the "tech world". Really? Since when? Maybe some asshole recruiter will require it but I've never had issues not having one. But then again, maybe they looked me up and found this famous guy, which there are... Hell, no complaints though. The only time I got a linked-in account was to view someone's profile and then i cancelled my account which I created using a temporary e-mail accoun

  • Of all the social networking sites, LinkedIn seems to be the evilest of the evil.

  • by tompaulco ( 629533 ) on Friday October 25, 2013 @09:20PM (#45241969) Homepage Journal
    Lucky for us their app is dumb. I will share what has happened several times to me. I get an e-mail saying "so and so has endorsed you". So and so probably doesn't really know what I do or know that am an expert in whatever they are endorsing me for, but let's skip that. Okay, it says "add to profile". Click! "Would you like to install the LinkedIn App?" Why, no, since I already installed it like a year ago. Okay, so what is my other choice, "open mobile site". Click! "Please Login" and then it has a google and a yahoo login. Um, no, I want to login to LinkedIn, not google or yahoo. If I login to Google or Yahoo, then LinkedIn will browse all my contacts and spam them. So obviously I am not doing that. Ok, well i guess I will leave that e-mail sitting around and maybe look at it from a real computer someday. At least it works from a real computer.
    • by icebike ( 68054 )

      When someone sends me a LinkedIn Invite, I always consider the possibility that they don't understand that the Linkedin app
      can mine all of their contacts by virtue of you handing over the passwords to your account. I send them an email and point to a couple on line sites that show them what is going on. Most of them are clueless that these invites are going out under their name.

      This was the subject of another Slashdot Story [slashdot.org] back in September.

    • LinkedIn is going rapidly down the toilet because they a) want to be Facebook, and b) don't understand their audience.

      Also, c) their iOS app is horrible. Seriously, it is several steps down even compared to their awful mobile website. It doesn't say much for a job networking and promotion company when they apparently were unable to hire a competent app designer (nor competent web designers, for that matter).

      On a side note - has anyone here ever been endorsed for skills you actually have by people who actual

  • Simple solution: Remove LinkedIn from your handset. Their app doesn't integrate that good anyway..

  • by markjhood2003 ( 779923 ) on Friday October 25, 2013 @09:30PM (#45242021)
    I'm not trying to troll here, but not being a Gmail user, I'm not sure how LinkedIn's scraping of email is any different than Google scraping it for advertising services. I understand that technically LinkedIn is acting as a proxy, and Google as an ISP, but how is the result any different?
    • by icebike ( 68054 ) on Friday October 25, 2013 @10:15PM (#45242221)

      Google advertises to ME. They don't grab my contacts and send email to them.

      Further, if you use a non-web client to read your gmail, you never even see the
      ads that they target toward you.

      I chose Gmail as my mail handler, knowing full well the rules of the game.
      People who use Linkedin had no understanding that they were appointing them as their mail handler.

      • by Anonymous Coward

        What's more, if I don't use LinkedIn, but I email someone who is using this service and that person replies to my email (including my email within his email), then my original email text is exposed to LinkedIn's system.

        So, I'd automatically not want to email anyone who'd open my communication up to that degree.

    • I would suggest a good portion of the difference is who has the email legitimately.

      I mean is it worse for your roommate, who you have loaned your car to before to take your car and drive across town without asking or for me who you don't know or just met to do the same?

    • Does LinkedIn currently have access to a copy of every email you read from Gmail? Probably not, but they would with this extension.

      Google parses your gmail, this would be Google processing your Outlook inbox on a Google server. Or me preprocessing all your mails and swearing that I'm not doing anything bad, even though its my revenue stream.

  • E-mail is fundamentally insecure. SMTP is easily spoofed because it has no authentication mechanism [cert.org]. By default every message travels unencrypted and nobody bothers to correct that. I can not remember the last time I got an e-mail that was encrypted. Sure gmail may provide me with an ssl connection to read my mail but any message in my inbox could have bounced all over the net in the clear. Every large e-mail provider has been repeatedly hacked. If you have are using a set of insecure protocols with no encr
  • by Hangtime ( 19526 ) on Friday October 25, 2013 @10:17PM (#45242231) Homepage

    I'm calling on Apple to kick 3rd party applications out of the ability to make a configuration like this. This appears to be a significant security threat to the iOS platform and should be treated as such. Applications should not be able to do this on their own and as we have seen with LinkedIn, it can lead to no good.

    For those sysadmins who would like to block this from occurring within their network or on their devices this was taken from Reddit. See the IMAP and SMTP configuration below and block it at the firewall.

    IMAP: imap.intro.linkedin.com
    SMTP: smtp.intro.linkedin.com
    From the Apple configuration profile:
    IncomingMailServerHostName imap.intro.linkedin.com IncomingMailServerPortNumber 143 .... OutgoingMailServerHostName smtp.intro.linkedin.com OutgoingMailServerPortNumber 587

    • by Bogtha ( 906264 )

      Applications should not be able to do this on their own

      They can't. All they can do is provide a configuration profile. This then prompts the user, who has the choice whether to install it or not.

      This feature is aimed at the enterprise market, where you don't want to walk your ten thousand employees through how to set up their email because even if 1% of them are idiots, you end up with a hundred people wasting your time.

  • by Anonymous Coward

    Anyone with the linked in app.. REJECTED. Your too fucking stupid to be in IT.

    • Not sure why folks haven't figured this out. Linkedin is simply an aol.com email address for the younger generation. If you have still have a Linkedin--your not very bright.
  • Not sure how it keeps getting called a social network. It's an evil that has taken over a large segment of the job hunting market, especially in IT. I've got an account but actually read what I click so I haven't spammed my email contacts, and definitely won't be installing their crapware app. - HEX
  • Everything about this company is seedy and disgusting. Their "engineer" openly bragging on a blog about "doing the impossible" with a little IMAP MITM is breathtaking. Just about what we've come to expect from these assholes.

    At this point I have to ponder who in their right mind would associate with or hire anyone still idiotic enough to keep using this "service"?

    • by lgw ( 121541 )

      Amazing how many posts their are in this story saying "if you use Dice's competitor, you're an idiot". Makes one wonder.

  • I work in Sunnyvale where LinkedIn is putting up 3 very large, multi-story buildings for their new galactic headquarters. As I pass by them, I've wondered how they would possibly fill those buildings. Now I know. They're actually putting up their version of a data storage center, similar to the one NSA has built in Utah. They need room for the disk farms that store all these emails they've captured from their users.

  • I can't confirm now (source is slash dotted) but I don't remember them talking about abuse of "email as authorization" to most Internet sites.

    Say I do this. Even if I split my emails out to having a "bank/amazon/eBay" reset email, the IMAP proxy settings seem to me would would let them check my email, and set password resets from my bank. Scary.

  • I think we should put the knives away for now.

    Someone else has pointed out LinkedIn's explain of their solution here:
    http://tech.slashdot.org/comments.pl?sid=4379177&cid=45241665 [slashdot.org]

    I like the spirit behind this tutorial. Technically, its an excellent, creative solution to a real problem - having emails annotated with additional context of our liking. Their only mistake is the overarching reach of the solution (i.e. send all your mail to LinkedIn). That makes it basically DoA.The 'proper' solution for this

%DCL-MEM-BAD, bad memory VMS-F-PDGERS, pudding between the ears