LinkedIn’s attempt to integrate its social network with your email is being called “a dream for attackers” by security researchers. LinkedIn Intro is a plug-in for the iPhone that intercepts your email in order to provide you info about a contact’s LinkedIn profile inside your email app. Intro has a slick interface which pulls important information about a contact like his or her position, company, and education.
“I’m flabbergasted by this. I can’t believe someone thought this was a good idea.”
Security researchers have taken issue with LinkedIn Intro because it acts as “a man in the middle,” grabbing user emails and passing it through LinkedIn’s own servers before sending it off to their inboxes. LinkedIn is acting as a proxy, grabbing your email, injecting their own code and sending it off to you. “I’m flabbergasted by this. I can’t believe someone thought this was a good idea,” said Richard Bejtlich, the chief research officer at computer security company Mandiant.
LinkedIn is taking security measures to protect user emails but security researchers don’t think they’re enough. LinkedIn responded to concerns in a blog post, explaining that customers will have to opt-in to the app and that emails are encrypted to and from the company’s servers. Still, security researchers say that this approach leaves room for insecurity. LinkedIn must decrypt email, inject their own code, and reencrypt the email before sending it to users. The act of decrypting email gives attackers the opportunity to discover its contents.
IT departments should be afraid as well since LinkedIn Intro allows employees to give access to a company’s sensitive email, circumventing security measures. This is most likely going to violate company policy for secure email.
LinkedIn doesn’t have the best track record when it comes to security. Last year, the social network was hacked due to lackluster security measures. Attackers made off with user names and passwords of over six million users.
[Source: New York Times]