Posted October 30, 2013
In an ambitious attempt to further integrate its services into the lives of business professionals, the social network LinkedIn has introduced a new but controversial mobile app called “Intro” that inserts LinkedIn profile information into the emails of Apple iOS users. While the new app was ostensibly designed to provide users an extended introduction to whoever is sending them messages by automatically showing their LinkedIn bio, it has raised serious security and privacy concerns in the brief time since it launched.
According to LinkedIn, the app integrates with the iPhone Mail app so it can show LinkedIn profile information in the sent and the received emails. Once you download the Intro App to your device, all your sent and received emails are redirected to LinkedIn proxy servers. LinkedIn then reconfigures your device to transmit your incoming and sent emails through its server. The reconfiguration involves techniques traditionally used in enterprise deployment of iOS devices. With this process, LinkedIn decrypts the sent email to include the profile information, and then re-encrypts it. So, when you send an email, the receiver is able to view your LinkedIn profile picture along with your job title, which is configured as a link that directs the receiver to your LinkedIn bio.
This seems to be pretty innovative, but the idea of having a third party sifting through your emails opens a Pandora’s Box of security and privacy concerns. A tech writer for The New York Times reports that several researchers have spoken out against using Intro, likening it to a “man-in-the-middle attack,” in which hackers intercept Internet traffic en route for malicious purposes. An additional security concern is that the app may violate many employers’ security and compliance policies. By installing Intro, employees are technically disclosing the company’s sensitive and classified data to a third party.
With these security flaws in mind, Intro can also possibly expose users to social engineering attacks, as hackers could easily intercept the injected LinkedIn information and attach malicious data. By providing the LinkedIn information through email, the app gives users a misguided sense of security, which makes social engineering attacks much easier. It is also worth pointing out that since LinkedIn is known to mainly target corporate users, the idea that Intro app could possibly facilitate access to millions upon millions of corporate emails is very alarming. In a recent podcast, Vinnie Liu from Bishop Fox warned businesses about the dangers associated with LinkedIn Intro app and recommended they take the necessary security measures and block its installation.
Many professionals assume there is a high level of privacy when sending emails, but given how Intro works, this is also a major concern. Regardless of whether or not you have opted into the Intro service, if the person you’re sending an email to is using Intro, then your emails are passing through LinkedIn’s servers. This opens up the possibility that important internal data could be compromised, exposing companies to phishing and spear-phishing attacks, and the theft of intellectual property, funds, or customer data.
Although LinkedIn has reassured its users that the company has taken important steps to protect Intro from attacks, including heavily encrypting the data and only storing it for a short period of time, LinkedIn has been compromised before. In June 2012, LinkedIn fell victim to one of the most public username and password thefts in recent history when 6.4 million user accounts were compromised. It was later established that the professional social network had not followed best practices when securing users’ data.