LinkedIn Defends Intro Email Security

LinkedIn responds to user and security expert concerns about new email feature, cites measures it took to make LinkedIn Intro safe.

(click image for larger view and for slideshow)
LinkedIn: 10 Important Changes
LinkedIns newest feature, called Intro,
stirred up controversy
last week when the professional social network introduced it -- and a few other features -- at an event about its mobile offerings. LinkedIn Intro is an opt-in service that lets you connect on a professional level with people you email every day.
When people email you, we show you their LinkedIn profile: you can put faces to names, write more effective emails, and establish rapport, LinkedIn said in the announcement. You can grow your professional network by connecting with them on LinkedIn.
But not everyone was as enthusiastic about it: Security experts were wary, especially in light of
LinkedIns breach last year
, which compromised 6.5 million user passwords. To use Intro, users are required to route all emails through LinkedIns Intro servers, which then scan them for certain types of content and temporarily store the passwords to users external accounts. Security expert Graham Cluley said this
sent a shiver down his spine
.
[ Learn how to keep your job search private. Read
5 LinkedIn Privacy Settings For Job Hunters
. ]
Over the weekend, LinkedIn responded to criticism in a
blog post
highlighting the measures it took to ensure Intro was safe and secure.
When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible, said Cory Scott, senior manager of information security at LinkedIn. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios.
LinkedIn described the actions it took prior to Intros launch. Among them:
-- Isolating Intro in a separate network segment and implementing a security perimeter across trust boundaries;
-- Performing hardening of the external- and internal-facing services and reducing exposure to third-party monitoring services and tracking;
-- Engaging iSEC Partners, a security consultancy, to perform a line-by-line code review of the credential handling and mail parsing/insertion code;
-- Penetration testing the final implementation by LinkedIns internal team to ensure vulnerabilities were addressed; and
-- Ensuring it had the right monitoring in place to detect potential attacks, react quickly and minimize exposure.
LinkedIn clarified that all communications use SSL/TLS at each point of the email flow between a users device, LinkedIn Intro and the third-party email system. When mail flows through LinkedIn Intro, we make sure we never persist the mail contents to our systems in an unencrypted form, Scott said. And once the user has retrieved the mail, the encrypted content is deleted from our systems.
Scott also addressed rampant concerns from iOS users. Its important to note that we simply add an email account that communicates with Intro, he said. The profile also sets up a certificate to communicate with the Intro web endpoint through a web shortcut on the device. We do not change the devices security profile in the manner
described in a blog post
that was authored by security firm Bishop Fox on Thursday.
LinkedIns Scott said he and LinkedIn welcome healthy skepticism and speculation, but LinkedIn felt it was necessary to clarify its practices and correct the misperceptions.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
LinkedIn Defends Intro Email Security