10 reasons to fear LinkedIn’s new service

The business social media network wants to rout your email. The benefits to you are unclear

Topics: the daily dot, Linkedin, email, intro, internet privacy, NSA, National security, Privacy, , , ,

10 reasons to fear LinkedIn's new service (Credit: AP)
This article originally appeared on bishopfox.com and was reposted with permission on The Daily Dot.

Don’t make the mistake of thinking you’re [the] customer, you’re not – you’re the product.

– BRUCE SCHNEIER

LinkedIn released a new product today called Intro.  They call it “doing the impossible”, but some might call it “hijacking email”.  Why do we say this?  Consider the following:

Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers. You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like.

“But that sounds like a man-in-the-middle attack!” I hear you cry. Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing.

Why is this so bad?  Here’s a list of 10 reasons to start:

1. Attorney-client privilege.

You use your email to stay in touch with everyone in your life from your family to your friends to your business associates. And you may exchange particularly sensitive messages with certain people like your lawyer, doctor, psychotherapist, or spiritual advisor. These communications are generally legally privileged and can’t be used as evidence in court – but only if you keep the messages confidential.

“If you let a third party have access to your privileged email, you could be waiving important legal protections,”

-MARCIA HOFMANN, ATTORNEY AND FORMER SENIOR STAFF ATTORNEY AT THE EFF

To be certain if you’re concerned about the legal effect of letting LinkedIn have unfettered access to your email, you should check with your counsel…on a system that doesn’t have Intro installed.

2. By default, LinkedIn changes the content of your emails.

Be aware that outgoing emails receive an additional signature.  Incoming emails receive additional LinkedIn profile data.  The introduction of new data sources into a medium rife with security issues such as email is a dream for attackers.  We’re curious how long until someone finds an innovative way to phish through Intro.

3. Intro breaks secure email.

Cryptographic signatures will break because LinkedIn is rewriting your outgoing emails by appending a signature on the end. This means email signatures can no longer be verified.

You Might Also Like

Encrypted emails are likely to break because of the same reason – extra data being appended to your messages.

If you forward an email to someone else, the LinkedIn profile data stays in the email. What if you don’t want it to?  What if they don’t want you to and it pisses them off?

4. LinkedIn got owned.

This happened last year, and estimates of 6.5 million usernames and hashed passwords were leaked to a Russian message board. They were using unsalted hashed passwords, which is a terrible design decision. LinkedIn has a documented history of insecure design practice.  So as anybody who has ever assessed a vendor would want to know:

a. Who did the security review of the Intro app?

b. Are there outstanding security vulnerabilities?

c. Can we see a copy of a Letter of Assessment?

5. LinkedIn is storing your email communications.

It’s metadata, or so they claim. In particular, the list of people with whom you communicated is saved because “If you are not connected with the person on LinkedIn, we may later suggest them as a connection on the LinkedIn website and in our other mobile apps.”

Think about it this way.  A vendor tells you they will install a device on your network that monitors all your email so they can insert their data into your emails.  They’ll do this for free – except they want to have unfettered access to all your emails and mine them for information about your users.  They don’t say what exactly they would store from each email, but just trust them to do the right thing.

6. LinkedIn is changing your device’s security profile.

Intro works by pushing a security profile to your device; they’re not just installing the Intro app. They have to do this in order to re-route your emails. But, these security profiles can do much, much more than just redirect your emails to different servers. A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things.

Most of your end users aren’t going to understand the impact of these changes, nor will they know how to reserve them if they wanted to do so. You are effectively putting your trust in LinkedIn to manage your users’ device security.

7. It’s probably a gross violation of your company’s security policy.

If your company’s policy (e.g. security, confidentiality, data classification, email) has anything about not disclosing sensitive data, it more likely says something like “Do not share sensitive data with third-parties.”

You’re probably violating that by installing Intro.

8. If I were the NSA…

…and I hear everyone’s mobile phones were routing their emails through LinkedIn…well I know where I’m having my next birthday party.

9. It’s not what they say, but what they don’t say

The privacy policy is ambiguous and vague.

“Does LinkedIn Intro disclose information to anyone else?” the answer is not “No.” It is “We will never sell, rent, or give away private data about you or your contacts.”

The astute reader must ask themselves:

  • How do you determine what is “private”?
  • What is considered “not private”?
  • Who makes the judgment call?

Even further:

  • Are you agreeing not to misuse “private data about [me]” as in the content of my emails or my LinkedIn profile information?
  • Are you agreeing not to misuse “[my] contacts” as in my contact list or “private data about…[my] contacts” such as the content of our communications?

The better question perhaps is, “How does LinkedIn know what you consider private?”  I suspect the answer is that they don’t.

10. Too many secrets

There are unanswered technical questions, too. Do the LinkedIn Intro servers mandate the use of SSL/TLS for all traffic? Does the Intro app redirect all of the accounts on your phone, or just one that you nominate? Can you opt out of the man-in-the-middleattack feature?

There’s a lot to consider and I’m sure others will think of more implications.  For the time being, Intro is banned from Bishop Fox devices until we know more about it.  And at the time of this writing, our recommendation is:

Don’t introduce Intro into your environment. 

More Related Stories

Featured Slide Shows

  • Share on Twitter
  • Share on Facebook
  • 1 of 11
  • Close
  • Fullscreen
  • Thumbnails
    Martyna Blaszczyk/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 1

    Pond de l'Archeveche - hundreds thousands of padlocks locked to a bridge by random couples, as a symbol of their eternal love. After another iconic Pont des Arts bridge was cleared of the padlocks in 2010 (as a safety measure), people started to place their love symbols on this one. Today both of the bridges are full of love locks again.

    Anders Andersson/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 2

    A bird's view of tulip fields near Voorhout in the Netherlands, photographed with a drone in April 2015.

    Aashit Desai/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 3

    Angalamman Festival is celebrated every year in a small town called Kaveripattinam in Tamil Nadu. Devotees, numbering in tens of thousands, converge in this town the day after Maha Shivratri to worship the deity Angalamman, meaning 'The Guardian God'. During the festival some of the worshippers paint their faces that personifies Goddess Kali. Other indulge in the ritual of piercing iron rods throughout their cheeks.

    Allan Gichigi/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 4

    Kit Mikai is a natural rock formation about 40m high found in Western Kenya. She goes up the rocks regularly to meditate. Kit Mikai, Kenya

    Chris Ludlow/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 5

    On a weekend trip to buffalo from Toronto we made a pit stop at Niagara Falls on the Canadian side. I took this shot with my nexus 5 smartphone. I was randomly shooting the falls themselves from different viewpoints when I happened to get a pretty lucky and interesting shot of this lone seagull on patrol over the falls. I didn't even realize I had captured it in the shot until I went back through the photos a few days later

    Jassen T./National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 6

    Incredibly beautiful and extremely remote. Koehn Lake, Mojave Desert, California. Aerial Image.

    Howard Singleton/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 7

    Lucky timing! The oxpecker was originally sitting on hippo's head. I could see the hippo was going into a huge yawn (threat display?) and the oxpecker had to vacate it's perch. When I snapped the pic, the oxpecker appeared on the verge of being inhaled and was perfectly positioned between the massive gaping jaws of the hippo. The oxpecker also appears to be screeching in terror and back-pedaling to avoid being a snack!

    Abrar Mohsin/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 8

    The Yetis of Nepal - The Aghoris as they are called are marked by colorful body paint and clothes

    Madeline Crowley/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 9

    Taken from a zodiac raft on a painfully cold, rainy day

    Ian Bird/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 10

    This wave is situated right near the CBD of Sydney. Some describe it as the most dangerous wave in Australia, due to it breaking on barnacle covered rocks only a few feet deep and only ten metres from the cliff face. If you fall off you could find yourself in a life and death situation. This photo was taken 300 feet directly above the wave from a helicopter, just as the surfer is pulling into the lip of the barrel.

  • Recent Slide Shows

Comments

Loading Comments...