LinkedIn Intro Service Triggers Security, Privacy Fears

  /     /     /  
Publicated : 22/11/2024   Category : security


LinkedIn Intro Service Triggers Security, Privacy Fears


LinkedIn wants to scans your emails to add more information about the sender, raising the hackles of security and privacy advocates.



(click image for larger view and for slideshow)
LinkedIn: 10 Important Changes
Is the new LinkedIn Intro service for iPhone users safe to use?
LinkedIn Intro is an email service that helps you be brilliant with people, according to a related
overview published by LinkedIn
, which also details how Google Apps administrators can block employees from using the service.
When people email you, we show you their LinkedIn profile: you can put faces to names, write more effective emails, and establish rapport, reads LinkedIns pitch. You can grow your professional network by connecting with them on LinkedIn.
Theres just one catch: To use the service, a LinkedIn user must route all of their emails through LinkedIns so-called Intro servers, which then scan the emails for certain types of content, and -- at least temporarily -- store the passwords to users external email accounts. The servers use software to extract information from each message: for example, the senders email address is extracted, so that the servers can search for their LinkedIn profile to include in the message, according to LinkedIns overview.
[ Will the federal government like this service? Read
Feds Warm Up To LinkedIn
. ]
To accomplish this task, the servers may temporarily cache a users password, presumably before generating an
OpenID identifier
thats then stored on the iPhone, and used to handle future authentication. During installation, the servers temporarily cache your password in order to add a new Mail account to your device, according to LinkedIn. Your password is only cached for the length of time it takes to install Intro, and never for more than two hours. Typically, your password is cached for no more than one minute.
But is it secure? A
blog post
from LinkedIn senior software engineer Martin Kleppmann is 97% a breathless explanation of how the technology -- gained via the companys 2012 acquisition of
rich contact profile firm Rapportive
-- functions, although there is a short security and privacy coda. We understand that operating an email proxy server carries great responsibility, it reads. We respect the fact that your email may contain very personal or sensitive information, and we will do everything we can to make sure that it is safe. Our principles and key security measures are detailed in our
pledge of privacy
.
Despite those assurances, the new LinkedIn product has raised the eyebrows of some security and privacy experts. To give them credit, from the engineering point of view it is pretty nifty. But from the security and privacy point of view it sends a shiver down my spine, said Graham Cluley, an independent security researcher, in a
blog post
. In no small part, he said, thats due to the company having
lost 6.5 million users passwords
last year. The breach only came to light after a hacker posted the passwords to a password-cracking forum.
But thats not the only questionable information security and privacy behavior on LinkedIns part, he added. LinkedIn also
scooped up the contents of users iOS calendars
, including sensitive information such as confidential meeting notes and call-in numbers -- which they then transmitted in plain text, not encrypted, meaning that the information could have been easily intercepted by attackers. LinkedIn is also, currently, the subject of a
lawsuit
alleging that they hacked into email accounts, in an attempt to mine address books, he said.
Others have flagged the degree of control that LinkedIn would enjoy, thanks to the technical setup. LinkedIn Intro will Man-in-the-Middle users IMAP connections to inject content from @LinkedIn profiles,
tweeted
Runa A. Sandvik, whos a core member of the
Tor Project
.
In other words, LinkedIn Intro inserts itself in between a users mail client -- currently only for iOS, although the company plans to expand the service in the future -- and their email services IMAP server, via an IMAP proxy server. Having access to a users IMAP mailbox would also allow LinkedIn to scan all previously sent and received emails stored therein.
On the advertising front, LinkedIns overview promises that we will never sell, rent or give away private data about you or your contacts. Still, such scanning could be used to serve targeted advertising, as Google does, although the company appears to disavow that possibility. Some products track the contents of your emails in order to show you advertising. LinkedIn Intro does not do that, according to the Linked Intro overview.
What LinkedIn will do, however, is watch for email recipients who arent LinkedIn users. If you are not connected with the person on LinkedIn, we may later suggest them as a connection on the LinkedIn website and in our other mobile apps, according to the overview.
Legally speaking, however, Google is currently embroiled in a
lawsuit over its automated scanning of Gmail messages
-- to serve related advertising -- based in part on the fact that it doesnt allow email senders who arent using Gmail to opt out of the scanning. In the case of LinkedIn, its arguably only looking for information about other LinkedIn members. But by scanning everyones message, it might open itself up to accusations of wiretapping, as have been alleged in the consumer suit against Google.
A LinkedIn spokesman, contacted via email, wasnt immediately able to respond to an emailed request for comment about exactly what types of data Intro will collect beyond email addresses, whether it will scan emails stored on a users IMAP server that date from before they sign up to Intro, or whether the technology underpinning the service might open LinkedIn to wiretapping charges from people whose emails are scanned, but who havent signed up for the service.
Update
-- LinkedIn has released additional information about its LinkedIn Intro program, emphasizing that its an opt-in service. Once you install Intro, a new Mail account is created on your iPhone. Only the email in this new Intro Mail account goes via LinkedIn; other Mail accounts are not affected in any way, it said. In addition, it noted that all related communications are fully encrypted, and that emails are only accessed when retrieved by LinkedIn from the mail server and sent to the iPhone. LinkedIn servers automatically look up the From email address, so that Intro can then be inserted into the email, it said.
A LinkedIn spokeswoman declined to address the wiretapping question.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
LinkedIn Intro Service Triggers Security, Privacy Fears