Slashdot Mirror
LinkedIn's New Mobile App Called 'a Dream For Attackers'
An anonymous reader writes with a link to the New York Times' summary of a security and privacy disaster that's been inspiring angry posts on various social networks, including LinkedIn itself: "Security researchers are calling LinkedIn's new mobile app, Intro, a dream come true for hackers or intelligence agencies... Intro redirects e-mail traffic to and from users' iPhones and iPads through LinkedIn's servers, then analyzes and scrapes those e-mails for relevant data and adds pertinent LinkedIn details... Researchers liken that redirection to a so-called man-in-the-middle attack in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it."
I have had a Linkedin account forever. I never even go there any more. I've never met any women on Linkedin, so I find it totally useless.
* Carthago Delenda Est *
It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.
They are going to keep getting more invasive as they figure out new ways to screw you over for a profit.
Now I feel a little less cowardly for having virtually no voluntary apps loaded on my android gadgets because of all the permissions required and no convenient way to limit access to my data.
If its running on your phone and you have an email app that downloads messages to your phone, it could be reading those files and sending them back to Linkedin. It wouldn't really be redirecting it, but it would be copying it and sending it back there.
Which is why I'm very careful with what apps I download. If the website provides the same services, why would I download an app?
I still have more fans than freaks. WTF is wrong with you people?
You have to allow their app to install a configuration profile that sets up iOS's Mail app to get your email through LinkedIn's proxy server; then LinkedIn can read your email and inject relevant code directly into the message before it hits the mail client: http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios *barf*
An iOS app has no access to any other app's files. The scheme you describe would fortunately be impossible.
I'm waiting on how they blame this on a programming error, they obviously neeeeever wanted to MITM all mails...
The only thing I'm not surprised about is that this company hasn't been sued or hacked into the oblivion.
I have a private email address. Only friends and family know about it. I don't use it to sign up for anything on the internet, I have other addresses for that. This particular address is the one I give out to people who might need to pull down a direct line of communication to me, wherever I am on the planet, assuming I have cellular and data connectivity. I also know precisely who has this address, and they are well aware that they're not to give it out to other people without my consent.
One day I started getting spam from these LinkedIn assholes. The kind of spam that never stops, and just keeps badgering you to reply to it or click some stupid fucking button. If you want to "unsubscribe" from their awesome service, you have to go to a fucking website and enter in your email address. What the hell?
Anyways, the person who's account started badgering me to confirm I know them... Never actually gave my email address to LinkedIn. He knew how much I despise modern day social networking and I trust him when he says he would never sign me up for something without my prior permission (why he would ever have a reason to sign me up for anything was beyond the both of us). Yet, there I was- getting spam from LinkedIn irregardless, with no way to stop it except to go to their idiot website and enter in my friggin' email address.
The only conclusion that we could come to was that they leeched it from his phone or laptop *somehow*, because those were the only two places where my super private email address were being held. We later found out that a lot of other people on those address books started getting LinkedIn spam as well, so somehow, LinkedIn basically dumped his entire address book without his permission and started spamming everyone on it.
As far as I'm concerned, LinkedIn can fuck off and go rot in hell. I told myself the next time they spammed me I'd start mailing C&D letters, because I'm sick and tired of having to unsubscribe from their bullshit pestering service every 3 months that I clearly did not sign up for (and if their EULA somehow makes it OK for them to spam me because my friend clicked OK, well, I'd be more then happy to take these fuckers to court over that).
They just proxy all mail.
Normally your device connects directly to the servers of your email provider (Gmail, Yahoo, AOL, etc.), but we can configure the device to connect to the Intro proxy server instead.
The Intro proxy server speaks the IMAP protocol just like an email provider, but it doesn’t store messages itself. Instead, it forwards requests from the device to your email provider, and forwards responses from the email provider back to the device. En route, it inserts Intro information at the beginning of each message body — we call this the top bar.
http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios
I wonder if he will be so smug when they perp walk him out of his office.
Sig Battery depleted. Reverting to safe mode.
This is nothing more than social engineering done by a big public company... If it was an individual he could have been incriminated, isn't it?
It is possible. Read what they say on their own web page:
Once we got the IMAP proxy working, we were faced with another problem: how do we configure a device to use the proxy? We cannot expect users to manually enter IMAP and SMTP hostnames, choose the correct TLS settings, etc — it’s too tedious and error-prone.
Fortunately, Apple provides a friendly way of setting up email accounts by using configuration profiles — a facility that is often used in enterprise deployments of iOS devices. Using this technique, we can simply ask the user for their email address and password, autodiscover the email provider settings, and send a configuration profile to the device. The user just needs to tap “ok” a few times, and then they have a new mail account.
The users have no idea why they are clicking OK, but once its done it works so they ask no questions.
After all, they are Linkedin users, so they automatically aren't too bright.
Sig Battery depleted. Reverting to safe mode.
Maybe is that wonderful feature that asks for your email and password to check if your contacts already have a linkedin account so they will connect them for you.
My email and password? Are you kidding?
I find it ridiculous when I read blog posts on the net that claims that you have to have a linkedin account to get a job in the "tech world". Really? Since when? Maybe some asshole recruiter will require it but I've never had issues not having one. But then again, maybe they looked me up and found this famous guy, which there are... Hell, no complaints though. The only time I got a linked-in account was to view someone's profile and then i cancelled my account which I created using a temporary e-mail account. Suck mah balls linked-in, we don't need you!
Fucking invasive apps that's why.
The linked in apps are the most fucking invasive apps ever. Most app writers actually give a slight fuck about your privacy. But linked in hooks into absolutely every system on your mobile device and utilized those services for whatever they want. So if you ever install it, consider all your emails, contacts, phone calls, instant messages, text messages, and GPS location theirs.
And that was the previous app.
Of all the social networking sites, LinkedIn seems to be the evilest of the evil.
I am very small, utmostly microscopic.
Lucky for us their app is dumb. I will share what has happened several times to me. I get an e-mail saying "so and so has endorsed you". So and so probably doesn't really know what I do or know that am an expert in whatever they are endorsing me for, but let's skip that. Okay, it says "add to profile". Click! "Would you like to install the LinkedIn App?" Why, no, since I already installed it like a year ago. Okay, so what is my other choice, "open mobile site". Click! "Please Login" and then it has a google and a yahoo login. Um, no, I want to login to LinkedIn, not google or yahoo. If I login to Google or Yahoo, then LinkedIn will browse all my contacts and spam them. So obviously I am not doing that. Ok, well i guess I will leave that e-mail sitting around and maybe look at it from a real computer someday. At least it works from a real computer.
If you are not allowed to question your government then the government has answered your question.
Simple solution: Remove LinkedIn from your handset. Their app doesn't integrate that good anyway..
I'm not trying to troll here, but not being a Gmail user, I'm not sure how LinkedIn's scraping of email is any different than Google scraping it for advertising services. I understand that technically LinkedIn is acting as a proxy, and Google as an ISP, but how is the result any different?
The method they use has absolutely nothing to do with accessing the emails/files with the Mail app as described by AuMatar - it's an injection via a proxy before the data ever hits the Mail app. I was specifically addressing AuMatar's fear that "you have an email app that downloads messages to your phone, it could be reading those files and sending them back to Linkedin."
Also, there is some interesting hilarity in you getting modded up for pointing me to a link that *I* introduced to this thread.
E-mail is fundamentally insecure. SMTP is easily spoofed because it has no authentication mechanism. By default every message travels unencrypted and nobody bothers to correct that. I can not remember the last time I got an e-mail that was encrypted. Sure gmail may provide me with an ssl connection to read my mail but any message in my inbox could have bounced all over the net in the clear. Every large e-mail provider has been repeatedly hacked. If you have are using a set of insecure protocols with no encryption adding another possibly insecure service doesn't change things much.
I'm calling on Apple to kick 3rd party applications out of the ability to make a configuration like this. This appears to be a significant security threat to the iOS platform and should be treated as such. Applications should not be able to do this on their own and as we have seen with LinkedIn, it can lead to no good.
For those sysadmins who would like to block this from occurring within their network or on their devices this was taken from Reddit. See the IMAP and SMTP configuration below and block it at the firewall.
IMAP: imap.intro.linkedin.com .... OutgoingMailServerHostName smtp.intro.linkedin.com OutgoingMailServerPortNumber 587
SMTP: smtp.intro.linkedin.com
From the Apple configuration profile:
IncomingMailServerHostName imap.intro.linkedin.com IncomingMailServerPortNumber 143
Anyone with the linked in app.. REJECTED. Your too fucking stupid to be in IT.
Not sure how it keeps getting called a social network. It's an evil that has taken over a large segment of the job hunting market, especially in IT. I've got an account but actually read what I click so I haven't spammed my email contacts, and definitely won't be installing their crapware app. - HEX
Horror & SciFi Erotic Nudes
Your friend is to dumb to not enter his email address/password into random websites... don't be surprised if this isn't the last of the spam.
and it's going to un-install so gracefully. probably just delete itself from the middle and leave email unusable.... can't wait for those help calls to start.
needs to die.
An iOS app has no access to any other app's files. The scheme you describe would fortunately be impossible.
A given app doesn't have access to another app's files; but since their scheme also employs a configuration profile, I suspect you could have some fun with quietly twiddling per-app VPNs, the global HTTP proxy, silent installation of trusted certificates, and other useful little toys.
It's good that LinkedIn is a Respectable Business, or this would probably be about Eleventy-billion CFAA violations...
Everything about this company is seedy and disgusting. Their "engineer" openly bragging on a blog about "doing the impossible" with a little IMAP MITM is breathtaking. Just about what we've come to expect from these assholes.
At this point I have to ponder who in their right mind would associate with or hire anyone still idiotic enough to keep using this "service"?
"you did WHAT?!?!"
Me, to some kid I work with upon him telling me he did that...with his company email login....(which is his network login). And. Nobody. Cared.
Hello iOS update 7.0.4!!
LinkedIn's service seems to be based on Rapportive, which has been around for a while. On desktops, they can just hook into web mail services and mail readers through extensions; no rerouting required. Of course, the information still ends up on their servers, but that's kind of the point: how could they give you information related to your mail messages if they couldn't look at it?
On mobile, the hooks for this are missing. Furthermore, iOS is rather insistent on the precious specialness of Apple's own applications, so replacing the mail app is hard too. If they want to provide this service, inserting themselves in the middle is basically all they can do.
I was using Rapportive briefly on the desktop but didn't find it all that useful. I can imagine that for some people it is useful (e.g., if you're in HR and get a lot of emails from people you don't know), however. Since it's voluntary, I don't think it's a big deal.
As for corporate email providers, they have a simple way of stopping this.
This is shocking.
It's grossly and obviously wrong and there was no-one at LinkedIn who stopped it from happening; indeed, there must have been some poeple who thought it should, and a bunch of people who thought it was a bad idea and were ignored or did nothing.
I quit LinkedIn about six months ago, when I properly appreciated that I was delivering up a ton of personal data to everyone - Government agencies included - rather than just to the people I intended it for (employers).
Prior to that, I had stopped using their mobile app, because the T&C was so incredibly long that it was unreadable. Never sign anything you do not understand, and if you can't *read* the T&C, all bets are off.
I've had some engagement recently with LinkedIn customer support, as they keep still sending me email where people are requesting connections (after I deleted my account).
To call them useless would be to over-estimate their utility. Engagement with them has and has only been a loss, and when I make a second support issues about the response to the first being useless, I was asked to provide a SCREENSHOT of the conversation... (despite providing the previous support case number).
As such, the solution to this problem in fact needs to come from my side, where I will reasonably soon change my email address.
All in all, LinkedIn pretty much look like they suck.
Is seems to be a classic failure mode for large social networks.
I work in Sunnyvale where LinkedIn is putting up 3 very large, multi-story buildings for their new galactic headquarters. As I pass by them, I've wondered how they would possibly fill those buildings. Now I know. They're actually putting up their version of a data storage center, similar to the one NSA has built in Utah. They need room for the disk farms that store all these emails they've captured from their users.
I can't confirm now (source is slash dotted) but I don't remember them talking about abuse of "email as authorization" to most Internet sites.
Say I do this. Even if I split my emails out to having a "bank/amazon/eBay" reset email, the IMAP proxy settings seem to me would would let them check my email, and set password resets from my bank. Scary.
A normal sig would do the job, and has done for many people for ages, without this security risk.
"so somehow, LinkedIn basically dumped his entire address book without his permission and started spamming everyone on it."
When signing up, and at random periods, linkedin asks you if you would like to have it trawl through your address book and automatically add people. It then prompts you to input your email address and password for the mail service.
This is the same service that was on Slashdot recently as somebody was launching a class action suit for hacking their accounts.
It's pretty clear what they're asking for, and I'm sorry but your friend did give his permission and account details; linkedin didn't just 'somehow' leech it from his phone or laptop.
dreambox-sat
I think we should put the knives away for now.
Someone else has pointed out LinkedIn's explain of their solution here:
http://tech.slashdot.org/comments.pl?sid=4379177&cid=45241665
I like the spirit behind this tutorial. Technically, its an excellent, creative solution to a real problem - having emails annotated with additional context of our liking. Their only mistake is the overarching reach of the solution (i.e. send all your mail to LinkedIn). That makes it basically DoA.The 'proper' solution for this would be for their app to run the IMAP proxy in the background on your *local* device (i.e. listening localhost:), under *your* control. The VPN profile would then direct mail retrieval traffic to localhost:. The app would also give you control over rules and webservices used to annotate your email. Additional points if the app was open source.