Last week, LinkedIn unveiled its latest product, LinkedIn Intro. Intro is an iPhone app that establishes a connection with the user’s emails to insert LinkedIn information into all emails they receive to that address. For example, if the user was to receive an email from someone with a LinkedIn profile, Intro would insert a banner into that email with the sender’s LinkedIn details.
Industry experts, however, have flagged potential security issues with this product.
James Lyne, global head of security research at Sophos, described the app in a Forbes article as essentially saying “hack here” to malicious individuals.
Lyne explained that LinkedIn Intro acts as a middle-man between the user and email provider. This mirrors an “MITM” (man in the middle) attack that hackers use, meaning a compromise of the servers could be catastrophic.
LinkedIn addressed these concerns in a statement, revealing that all communications are encrypted. Lyne acknowledged this, but added that any break in the encryption could act as an entry point.
LinkedIn have been active in defending the app and addressing security concerns. Commerford gave HC a breakdown on how Intro works:
You have to opt-in and install Intro before you see LinkedIn profiles in any email.
Usernames, passwords, OAuth tokens, and email contents are not permanently stored anywhere inside LinkedIn data centres. Instead, these are stored on your iPhone.
Once you install Intro, a new Mail account is created on your iPhone. Only the email in this new Intro Mail account goes via LinkedIn; other Mail accounts are not affected in any way.
All communication from the Mail app to the LinkedIn Intro servers is fully encrypted. Likewise, all communication from the LinkedIn Intro servers to your email provider (e.g. Gmail or Yahoo! Mail) is fully encrypted.
Your emails are only accessed when the Mail app is retrieving emails from your email provider. LinkedIn servers automatically look up the "From" email address, so that Intro can then be inserted into the email.
Security concerns over LinkedIn are not unwarranted. The company had a large number of passwords compromised last year (although it did move to remedy the problem). This does occur occasionally within the tech industry, but LinkedIn has also been involved in a US-wide class action lawsuit since September. Perkins et al. v. Linkedin Corporation accuses LinkedIn of accessing users’ email accounts without consent and harvesting addresses.
LinkedIn deny the allegations of the lawsuit, and Commerford addressed these concerns.
“We take the privacy and security of our member's data very seriously and have taken a thoughtful approach to ensure we've put the right security precautions in place for the LinkedIn Intro product,” she told HC. Her statement also included the following points:
We have isolated the Intro environment as a separate high security segment from the rest of LinkedIn systems as a matter of best practice.
We hardened all the services that are running the platform that are Internet and internally exposed.
We conducted a review with an outside vendor to inspect the code dealing with transmission of credentials and handling email content. Any vulnerabilities identified were remediated.
We ensured that credentials and mail content are never stored unencrypted.
We continuously monitor this environment for security and availability issues.
Security analyst Graham Cluley wrote on his blog his concerns, stating that most security-conscious organisations wouldn’t be comfortable with employees giving LinkedIn access to company emails.
“The first thing to do if you want to keep your very personal or sensitive information safe is to reduce the chances of a breach. Adding another link in the privacy chain which could be potentially exploited is not the direction you should be going in,” he added.
Given the information here, will you be using LinkedIn Intro, or do you feel there is too great a security risk? Let us know your thoughts and insights in the comments.
LinkedIn have published further information on Intro’s security here.