LinkedIn's New Mobile App Called 'a Dream For Attackers' 122
An anonymous reader writes with a link to the New York Times' summary of a security and privacy disaster that's been inspiring angry posts on various social networks, including LinkedIn itself: "Security researchers are calling LinkedIn's new mobile app, Intro, a dream come true for hackers or intelligence agencies... Intro redirects e-mail traffic to and from users' iPhones and iPads through LinkedIn's servers, then analyzes and scrapes those e-mails for relevant data and adds pertinent LinkedIn details... Researchers liken that redirection to a so-called man-in-the-middle attack in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it."
Who cares. (Score:5, Funny)
I have had a Linkedin account forever. I never even go there any more. I've never met any women on Linkedin, so I find it totally useless.
Re: (Score:2, Insightful)
No even occasional sex with your manager ?
Re: (Score:1)
I don't use it. I keep it just in case I need to find another job. That is pretty much all.
Re:Who cares. (Score:5, Interesting)
Exactly. Nobody I know ever uses it for anything *but* that.
Especially in certain parts of the IT industry. Keeping track of the ridiculous number of people you work with is impossible. Having a nice list - even if it spams your inbox with recruitment crap while you're not actively seeking employment opportunities - is a damned handy thing to have if you find yourself in a position to actually need to look for a job.
I'm not for sure why any employer or anyone else trusts or cares about linkedin especially in the IT field.
Most of the people on my linkedin profile who have vouched for my computer knowledge know nothing about
computers. They've said I'm an expert at java, php, and any other language that linkedin suggests even
if I know absolutely nothing about said language. To them it's all the same and it makes my linkedin profile
utterly useless as I'm ranked higher in languages I don't know than I am in languages I actually do.
Re: (Score:2)
You're right - they have "commodified" the reference, turning it into a "like" and a "+1" with seriously debased value.
Too bad the emphasis in social networks has been placed on creating quantity of content, and not content with quality and substance...
Re: (Score:1)
About the only time I've looked at that site it was to look at the profile of the utter loser that lost the White House emails. That person (Bank VP on graduation and similar sinecures all the way) now works at a data recovery company! I suppose that send the message that if you've been told the data needs to be reco
Re: (Score:2)
Re: (Score:2)
The references and social media aspects are pretty useless. It's just a place to put your resume online, like that other site, starts with a "D", hmm, something.
Legitimate recruiters (plus the other kind) search it for candidates worth contacting. That what it's for: to help make that first contact. Just like a resume, once you're talking to a human it's done its job and you're past it.
Re: (Score:2)
Yeah, the "click to endorse" endorsements are LinkedIn's equivalent to a Facebook "like"; largely pointless. I get plenty of endorsements from people who know me from previous jobs, or work with me now but really don't know much about my proficiency in the skills for which they endorsed me. I'm a little more conservative in my endorsements. i.e. if I knew you as a trainer then I'm not going to endorse your project management skills if I have no first hand experience of your project management abilities.
Writ
Re: (Score:1)
Are you shitting us? I know people have a compulsion to link-in with everyone, but a corporate mandate?
Comment removed (Score:5, Informative)
Re: (Score:2)
Re: (Score:3)
Well, we *did* get free international video calling and a rather nice operating system out of the deal.
But, yeah, it feels like the dream is pretty much over.
Re: (Score:1)
I often think about that last part. I found my ponderings validated when I ran across that article last week about Woz which mentions he doesn't have broadband at home. I found myself wondering, perhaps I should consider that option as well.
Re: (Score:2)
Re: (Score:1)
Which would of course be a reasonable course of action. I'm out in the country, and the crap we have is worthless. If LTE worked where I live, that's what we'd be using.
Re: (Score:2)
So, the women I see are not real on there? :P
Re: (Score:1)
They only keep track of you if their computer needs to be fixed. They want your brains, not your penis.
Re: (Score:2)
Interesting. I don't have a brain, but do have a penis. :P
Why is anyone surprised? (Score:5, Insightful)
It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.
They are going to keep getting more invasive as they figure out new ways to screw you over for a profit.
Re:Why is anyone surprised? (Score:5, Informative)
So, you install the 'app'. It applies an iOS configuration profile to your phone. those can do rather a lot [apple.com]... In this case (so far) what it does is set up an MiTM that routes all your email through their servers, and dynamically rewrites it to add content of their choice to messages.
It's totally normal for 'social networks' to own you like livestock in everything you do on that network; but reaching out and grabbing all 3rd party email (Oh, man, are some corporate IT/Security people going to be spitting napalm about this one...) that passes through your handset, and including that? Ballsy. Really, really, ballsy. Makes the old "Hey, let's grab their entire contact list!" sleaze-scheme look like amateur hour.
Re:Why is anyone surprised? (Score:5, Informative)
Re:Why is anyone surprised? (Score:5, Insightful)
Pretty smug and self congratulatory.
Everyone make sure you put Martin Kleppmann on your DO NOT HIRE list.
I hope Apple steps up and kicks them out of the App Store.
Re:Why is anyone surprised? (Score:5, Insightful)
That's what really gets me: If this were random geek giving a little chat about 'stupid IMAP regex tricks; the closest thing to greasemonkey for iOS mail!' and showing off an architecturally similar system for on-the-fly-rewrites of mail to add useful hooks to present features absent in the client, it'd be clever and endearing. But that isn't the game we are playing here. This is a slick, weaponized, weasel-worded-for-wide-deployment dangerous toy we are talking about here.
Either he knows that, and just doesn't give a fuck (in which case he is somewhere beneath contempt and heading further down), or he's dangerously myopic to an almost unbelievable degree.
Re: (Score:2)
I think the plaintiff's lawyers are going to like that particular post.
"It's an ill wind that blows nobody good."
Re: (Score:1)
Don't you mean, "'Tis an ill wind that blows no minds"?
Re: (Score:1)
Bingo! You nailed it exactly. No sense of morals or social obligation. Just does whatever comes to his little mind and thinks he is the most clever thing since the last shitstain to come along and think he know more about tech than everyone else. What he fails to understand is that the people that created all this stuff we use knew how to do all this evil stuff, they just had better guiding values. Heck, they had guiding values period!
Re:Why is anyone surprised? (Score:5, Informative)
And all (transient) storage of the data being communicated while they are on the LinkedIn servers?
Hmm... Didn't think so.
Also worth noting: In their 'Pledge of Privacy' [linkedin.com](which may change from time to time, to 'clarify' things) they have an adorable little elision...
"Do you read my email?
In order to provide the Intro service, the servers use software to extract information from each message: for example, the sender's email address is extracted, so that the servers can search for their LinkedIn profile to include in the message."
Well, ok, the system obviously wouldn't work if it didn't parse the email, right?
"Do you store my email or my password?
During usage, the servers may temporarily cache your emails in order to make emails download faster. When your device starts to download a mail folder, such as your inbox, the servers will pre-emptively download and cache recent messages in that folder. A few seconds later, when your device downloads the individual messages, the servers will provide the cached messages. Your messages are only cached until your device downloads them, and never for more than 1 hour. Typically, your messages are cached for no more than a few minutes."
Well, ok, fast downloads are good, and temporary cache is temporary, so you totally aren't building a giant dossier of all my email, whew.
Now... " the servers use software to extract information from each message". Hmm... it doesn't say a thing about the storage, use, retention, or anything else of that 'extracted information'. Nor (aside from giving the one example that is architecturally necessary, and thus trivial), does it provide any detail about what information is extracted. So, in fact, the only thing I know is that they say that a literal copy of my email is not being stored (Maybe they only store my metadata, like the NSA?) Maybe they store any substrings that match a set of keywords? Who knows? Not you or me.
Re:Why is anyone surprised? (Score:5, Insightful)
Nice link. Fascinating how they cream themselves for 2,000 words on the technical challenges they overcame to break into a system not meant for that, but only 3 short sentences that privacy is fine, they're serious, see this link. (At least until uproar made them add the italicized part at the end.) Very telling.
Re: (Score:2)
The absolute last thing I want on a phone with corporate network access is to have those permissions.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
What honestly does surprise me a bit is that Apple doesn't automatically blacklist/nuke from the app store, and generally unleash hell upon, any outfit that tries to deploy these things as though they were 'apps', to institutionally unaffiliated end users.
Speaking of this, if you're an institutional end user already on a configuration profile, does this overwrite/replace it?
Re: (Score:2)
Even their old Android app had ridiculous permissions. LinkedIn is handy if you're looking for work, but web-only.
Re: (Score:3)
Re: (Score:2)
I'm not surprised ('social networks' in general make you the product, linkedin has always been a touch sleazy, especially for an ostensibly 'professional' site that could theoretically be making its money on the semi up-and-up by offering useful recruiting services);
Linkedin has many dubious methods that aren't visible to a typical person. I know some of the methods they employ to extend their grasp. The problem is that there is no way to explain this to people without a CS degree. It just irritates the victim to be a tool so they ignore it.
To go from ironic to sardonic as well as a self deprecating , we are providing social comments on a site owned by a company that handles employment (DICE). So it is posters on a 'social network' that complain of the use of themsel
Re: (Score:2)
Re: (Score:1)
platform limitations (Score:2)
LinkedIn's service seems to be based on Rapportive, which has been around for a while. On desktops, they can just hook into web mail services and mail readers through extensions; no rerouting required. Of course, the information still ends up on their servers, but that's kind of the point: how could they give you information related to your mail messages if they couldn't look at it?
On mobile, the hooks for this are missing. Furthermore, iOS is rather insistent on the precious specialness of Apple's own appl
Re: (Score:2)
What's strange to me is that Apple even allows configuration profiles to be distributed and installed by non-enterprise, third-party apps. This seems like a giant security hole. If I was Apple I'd be pulling this app from the store posthaste and closing that attack vector.
Re: (Score:3)
It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.
It amazes me even more that people think they need a LinkedIn app on their phone. Seriously. WTF.
If you think you need this app on your phone you get what you deserve.
Re: (Score:1)
Re: (Score:2)
People don't realise this because it isn't true. What you describe is a relationship in which only the social network provider gains, but this isn't what people experience: people do get utility out of the functions the networking sites provide.
You can certainly argue that the relationship is skewed, or that the price users are paying for t
Much too easy for this to happen (Score:1)
Now I feel a little less cowardly for having virtually no voluntary apps loaded on my android gadgets because of all the permissions required and no convenient way to limit access to my data.
Re: (Score:2, Interesting)
Let me give you some friendly advice.
1) Root it
2) Install AFwall
3) Configure AFwall to block most traffic
Re: (Score:2)
The trick they used only works on IOS.
(Not that I'm denying there could be an equivalent trick on Android).
Re: (Score:2)
Its not really a vpn re-direct, they simply proxy all mail through their own servers. Admittedly, you get some clues and warnings, when they ask you for your passwords for you rmail, but I'n not convinced its that easy to tell the mail client on android to start suddenly using a proxy instead of what is configured into the phone.
We will probably have to wait and see if this trick shows up on Android.
Re: (Score:2)
Re: Much too easy for this to happen (Score:2)
You can use the Google apps in cyanogenmod.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Some features are disabled on rooted phones (including cyanogenmod) I think its mainly the DRM on their music store means they won't let you buy on rooted phones. It is entirely possible they will disable other features future and I don't really see the need for me to change.
They have disable nothing as far as I can tell. I can buy music, books and apps. The only thing even remotely like you suggest is that Google Wallets pops up a banner tell me that my device is "unsupported". Wallet still works perfectly though
Re: (Score:2)
They dump your address book, so I'm not surprised (Score:5, Interesting)
The only thing I'm not surprised about is that this company hasn't been sued or hacked into the oblivion.
I have a private email address. Only friends and family know about it. I don't use it to sign up for anything on the internet, I have other addresses for that. This particular address is the one I give out to people who might need to pull down a direct line of communication to me, wherever I am on the planet, assuming I have cellular and data connectivity. I also know precisely who has this address, and they are well aware that they're not to give it out to other people without my consent.
One day I started getting spam from these LinkedIn assholes. The kind of spam that never stops, and just keeps badgering you to reply to it or click some stupid fucking button. If you want to "unsubscribe" from their awesome service, you have to go to a fucking website and enter in your email address. What the hell?
Anyways, the person who's account started badgering me to confirm I know them... Never actually gave my email address to LinkedIn. He knew how much I despise modern day social networking and I trust him when he says he would never sign me up for something without my prior permission (why he would ever have a reason to sign me up for anything was beyond the both of us). Yet, there I was- getting spam from LinkedIn irregardless, with no way to stop it except to go to their idiot website and enter in my friggin' email address.
The only conclusion that we could come to was that they leeched it from his phone or laptop *somehow*, because those were the only two places where my super private email address were being held. We later found out that a lot of other people on those address books started getting LinkedIn spam as well, so somehow, LinkedIn basically dumped his entire address book without his permission and started spamming everyone on it.
As far as I'm concerned, LinkedIn can fuck off and go rot in hell. I told myself the next time they spammed me I'd start mailing C&D letters, because I'm sick and tired of having to unsubscribe from their bullshit pestering service every 3 months that I clearly did not sign up for (and if their EULA somehow makes it OK for them to spam me because my friend clicked OK, well, I'd be more then happy to take these fuckers to court over that).
Re: (Score:2)
Maybe is that wonderful feature that asks for your email and password to check if your contacts already have a linkedin account so they will connect them for you.
My email and password? Are you kidding?
Re: They dump your address book, so I'm not surpri (Score:2)
Re: (Score:1)
"so somehow, LinkedIn basically dumped his entire address book without his permission and started spamming everyone on it."
When signing up, and at random periods, linkedin asks you if you would like to have it trawl through your address book and automatically add people. It then prompts you to input your email address and password for the mail service.
This is the same service that was on Slashdot recently as somebody was launching a class action suit for hacking their accounts.
It's pretty clear what the
I'm a Software Engineer and never used Linkedin (Score:1)
I find it ridiculous when I read blog posts on the net that claims that you have to have a linkedin account to get a job in the "tech world". Really? Since when? Maybe some asshole recruiter will require it but I've never had issues not having one. But then again, maybe they looked me up and found this famous guy, which there are... Hell, no complaints though. The only time I got a linked-in account was to view someone's profile and then i cancelled my account which I created using a temporary e-mail accoun
Damn (Score:2)
Of all the social networking sites, LinkedIn seems to be the evilest of the evil.
Lucky their app is dumb (Score:3)
Re: (Score:2)
When someone sends me a LinkedIn Invite, I always consider the possibility that they don't understand that the Linkedin app
can mine all of their contacts by virtue of you handing over the passwords to your account. I send them an email and point to a couple on line sites that show them what is going on. Most of them are clueless that these invites are going out under their name.
This was the subject of another Slashdot Story [slashdot.org] back in September.
Re: (Score:3)
LinkedIn is going rapidly down the toilet because they a) want to be Facebook, and b) don't understand their audience.
Also, c) their iOS app is horrible. Seriously, it is several steps down even compared to their awful mobile website. It doesn't say much for a job networking and promotion company when they apparently were unable to hire a competent app designer (nor competent web designers, for that matter).
On a side note - has anyone here ever been endorsed for skills you actually have by people who actual
LinkedIn does something intrusive? vote with feet! (Score:1)
Simple solution: Remove LinkedIn from your handset. Their app doesn't integrate that good anyway..
How is this different from Gmail? (Score:4, Insightful)
Re:How is this different from Gmail? (Score:4, Informative)
Google advertises to ME. They don't grab my contacts and send email to them.
Further, if you use a non-web client to read your gmail, you never even see the
ads that they target toward you.
I chose Gmail as my mail handler, knowing full well the rules of the game.
People who use Linkedin had no understanding that they were appointing them as their mail handler.
Re: (Score:1)
What's more, if I don't use LinkedIn, but I email someone who is using this service and that person replies to my email (including my email within his email), then my original email text is exposed to LinkedIn's system.
So, I'd automatically not want to email anyone who'd open my communication up to that degree.
Re: (Score:2)
I would suggest a good portion of the difference is who has the email legitimately.
I mean is it worse for your roommate, who you have loaned your car to before to take your car and drive across town without asking or for me who you don't know or just met to do the same?
Re: (Score:2)
Does LinkedIn currently have access to a copy of every email you read from Gmail? Probably not, but they would with this extension.
Google parses your gmail, this would be Google processing your Outlook inbox on a Google server. Or me preprocessing all your mails and swearing that I'm not doing anything bad, even though its my revenue stream.
Dream for Attackers? That's a bit rich (Score:2)
Time for Apple to Step Up (Score:5, Insightful)
I'm calling on Apple to kick 3rd party applications out of the ability to make a configuration like this. This appears to be a significant security threat to the iOS platform and should be treated as such. Applications should not be able to do this on their own and as we have seen with LinkedIn, it can lead to no good.
For those sysadmins who would like to block this from occurring within their network or on their devices this was taken from Reddit. See the IMAP and SMTP configuration below and block it at the firewall.
IMAP: imap.intro.linkedin.com .... OutgoingMailServerHostName smtp.intro.linkedin.com OutgoingMailServerPortNumber 587
SMTP: smtp.intro.linkedin.com
From the Apple configuration profile:
IncomingMailServerHostName imap.intro.linkedin.com IncomingMailServerPortNumber 143
Re: (Score:3)
They can't. All they can do is provide a configuration profile. This then prompts the user, who has the choice whether to install it or not.
This feature is aimed at the enterprise market, where you don't want to walk your ten thousand employees through how to set up their email because even if 1% of them are idiots, you end up with a hundred people wasting your time.
Makes it easier to scene IT candidates (Score:2, Interesting)
Anyone with the linked in app.. REJECTED. Your too fucking stupid to be in IT.
Re: (Score:3)
LinkedIn is not a social network (Score:2)
Linked in is the ultimate sleeze company (Score:2)
Everything about this company is seedy and disgusting. Their "engineer" openly bragging on a blog about "doing the impossible" with a little IMAP MITM is breathtaking. Just about what we've come to expect from these assholes.
At this point I have to ponder who in their right mind would associate with or hire anyone still idiotic enough to keep using this "service"?
Re: (Score:2)
Amazing how many posts their are in this story saying "if you use Dice's competitor, you're an idiot". Makes one wonder.
I'll wave to your data as I pass by (Score:2)
I work in Sunnyvale where LinkedIn is putting up 3 very large, multi-story buildings for their new galactic headquarters. As I pass by them, I've wondered how they would possibly fill those buildings. Now I know. They're actually putting up their version of a data storage center, similar to the one NSA has built in Utah. They need room for the disk farms that store all these emails they've captured from their users.
Credentials in email. (Score:2)
I can't confirm now (source is slash dotted) but I don't remember them talking about abuse of "email as authorization" to most Internet sites.
Say I do this. Even if I split my emails out to having a "bank/amazon/eBay" reset email, the IMAP proxy settings seem to me would would let them check my email, and set password resets from my bank. Scary.
Good solution, overarching reach (Score:2)
I think we should put the knives away for now.
Someone else has pointed out LinkedIn's explain of their solution here:
http://tech.slashdot.org/comments.pl?sid=4379177&cid=45241665 [slashdot.org]
I like the spirit behind this tutorial. Technically, its an excellent, creative solution to a real problem - having emails annotated with additional context of our liking. Their only mistake is the overarching reach of the solution (i.e. send all your mail to LinkedIn). That makes it basically DoA.The 'proper' solution for this
Re: (Score:3)
If its running on your phone and you have an email app that downloads messages to your phone, it could be reading those files and sending them back to Linkedin. It wouldn't really be redirecting it, but it would be copying it and sending it back there.
Which is why I'm very careful with what apps I download. If the website provides the same services, why would I download an app?
Re: (Score:1)
Re:Umm... (Score:5, Informative)
It is possible. Read what they say on their own web page [linkedin.com]:
Once we got the IMAP proxy working, we were faced with another problem: how do we configure a device to use the proxy? We cannot expect users to manually enter IMAP and SMTP hostnames, choose the correct TLS settings, etc — it’s too tedious and error-prone.
Fortunately, Apple provides a friendly way of setting up email accounts by using configuration profiles — a facility that is often used in enterprise deployments of iOS devices. Using this technique, we can simply ask the user for their email address and password, autodiscover the email provider settings, and send a configuration profile to the device. The user just needs to tap “ok” a few times, and then they have a new mail account.
The users have no idea why they are clicking OK, but once its done it works so they ask no questions.
After all, they are Linkedin users, so they automatically aren't too bright.
Re: (Score:2)
Also, there is some interesting hilarity in you getting modded up for pointing me to a link that *I* introduced to this thread.
Re: (Score:2)
An iOS app has no access to any other app's files. The scheme you describe would fortunately be impossible.
A given app doesn't have access to another app's files; but since their scheme also employs a configuration profile [apple.com], I suspect you could have some fun with quietly twiddling per-app VPNs, the global HTTP proxy, silent installation of trusted certificates, and other useful little toys.
Re: (Score:3)
They just proxy all mail.
Normally your device connects directly to the servers of your email provider (Gmail, Yahoo, AOL, etc.), but we can configure the device to connect to the Intro proxy server instead.
The Intro proxy server speaks the IMAP protocol just like an email provider, but it doesn’t store messages itself. Instead, it forwards requests from the device to your email provider, and forwards responses from the email provider back to the device. En route, it inserts Intro information at the beginning of each message body — we call this the top bar.
http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios [linkedin.com]
I wonder if he will be so smug when they perp walk him out of his office.
Re: (Score:2)
Re:Umm... (Score:5, Informative)
Re: (Score:2)
Me, to some kid I work with upon him telling me he did that...with his company email login....(which is his network login). And. Nobody. Cared.