A goldmine for hackers: The major security risk in LinkedIn’s latest app
Sunday, October 27, 2013/
In a move that has stunned the technical and security communities for what is possibly the worst idea for a software application this year, LinkedIn has announced the availability of an iPhone/iPad application called Intro.
The application reads all of your email and if it recognises a name, inserts information from their LinkedIn profile. To do this, you just have to install the app and hand over the username and password details of your email account (Gmail users can authenticate through Google’s authentication mechanisms). Instead of getting the email directly from Google, Yahoo, or Microsoft, you get it from LinkedIn and they scan each email and insert their LinkedIn information.
The first question raised is why anyone would want information from LinkedIn added to an email. Presumably most emails that you receive are from people you already know and who considerately add their contact details at the bottom of the email. But the more fundamental issue with this is the security hole that it opens up for exploitation by not only hackers but failures on the part of LinkedIn. Bugs in LinkedIn’s software for example, could potentially cause emails to go missing or sections of email content to disappear.
As security analyst Graham Cluley has pointed out, LinkedIn has not got a good reputation when it comes to security, having last year leaked passwords to 6 million accounts. There were also responsible for grabbing information from iOS calendars including meeting notes and other potentially confidential information.
Coming on the heels of the US NSA revelations about intercepting email, again you would have to question why people would introduce another centralised means of monitoring email – especially those in countries outside of the US that are concerned about the current level of monitoring from the US Government. Certainly, companies concerned about corporate security would be extremely reticent about opening up a potentially huge vulnerability for little, if any, benefit.
Of course, the NSA is probably the least of a LinkedIn user’s concerns. Establishing a man-in-the-middle for your email service opens up potential risks for hackers subverting this to gain access to your email, private information and potentially insert malware. Trusting LinkedIn to prevent this is a huge leap-of-faith.
For LinkedIn, this is a curious move that can only serve to damage their reputation amongst their mostly corporate users. The LinkedIn technical lead boasting about the technical achievements in the Intro iOS app made reference to Rapportive a browser plugin purchased by LinkedIn that already does what Intro does but on Gmail in browsers such as Google’s Chrome. The enthusiasm shown by tech journalists for Rapportive “Stop what you are doing and install this plug-in” pre-dates the NSA revelations that companies were not doing what they said they would do and keep the contents of your email confidential and private. The climate is very different now and becoming even more so with daily revelations of the extent of US spying.
In the meantime, what should you do regarding Intro? In the words of Graham Cluley “LinkedIn wants iPhone users to sign-up for a new service called Intro. My advice? Don’t.”
David Glance is the director of the Centre for Software Practice at University of Western Australia .
This article first appeared on The Conversation.