LinkedIn's New Mobile App Called 'a Dream For Attackers'

An anonymous reader writes with a link to the New York Times' summary of a security and privacy disaster that's been inspiring angry posts on various social networks, including LinkedIn itself: "Security researchers are calling LinkedIn's new mobile app, Intro, a dream come true for hackers or intelligence agencies... Intro redirects e-mail traffic to and from users' iPhones and iPads through LinkedIn's servers, then analyzes and scrapes those e-mails for relevant data and adds pertinent LinkedIn details... Researchers liken that redirection to a so-called man-in-the-middle attack in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it."

Why is anyone surprised?

It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.

They are going to keep getting more invasive as they figure out new ways to screw you over for a profit.

Re:Why is anyone surprised?

[icebike]

Pretty smug and self congratulatory.
Everyone make sure you put Martin Kleppmann on your DO NOT HIRE list.

I hope Apple steps up and kicks them out of the App Store.

Re:Why is anyone surprised?

[fuzzyfuzzyfungus]

It is admittedly a cute hack (presented in a smarmy tone); but the sheer tone-deafness and unwillingness or inability to recognize that you are proposing to subject potentially-hundreds-of-thousands of people's private information to your cute hack is sickening.

That's what really gets me: If this were random geek giving a little chat about 'stupid IMAP regex tricks; the closest thing to greasemonkey for iOS mail!' and showing off an architecturally similar system for on-the-fly-rewrites of mail to add useful hooks to present features absent in the client, it'd be clever and endearing. But that isn't the game we are playing here. This is a slick, weaponized, weasel-worded-for-wide-deployment dangerous toy we are talking about here.

Either he knows that, and just doesn't give a fuck (in which case he is somewhere beneath contempt and heading further down), or he's dangerously myopic to an almost unbelievable degree.

Re:Why is anyone surprised?

[dcollins]

Nice link. Fascinating how they cream themselves for 2,000 words on the technical challenges they overcame to break into a system not meant for that, but only 3 short sentences that privacy is fine, they're serious, see this link. (At least until uproar made them add the italicized part at the end.) Very telling.

Re:Who cares.

No even occasional sex with your manager ?

How is this different from Gmail?

[markjhood2003]

I'm not trying to troll here, but not being a Gmail user, I'm not sure how LinkedIn's scraping of email is any different than Google scraping it for advertising services. I understand that technically LinkedIn is acting as a proxy, and Google as an ISP, but how is the result any different?

Time for Apple to Step Up

[Hangtime]

I'm calling on Apple to kick 3rd party applications out of the ability to make a configuration like this. This appears to be a significant security threat to the iOS platform and should be treated as such. Applications should not be able to do this on their own and as we have seen with LinkedIn, it can lead to no good.

For those sysadmins who would like to block this from occurring within their network or on their devices this was taken from Reddit. See the IMAP and SMTP configuration below and block it at the firewall.

IMAP: imap.intro.linkedin.com
SMTP: smtp.intro.linkedin.com
From the Apple configuration profile:
IncomingMailServerHostName imap.intro.linkedin.com IncomingMailServerPortNumber 143 .... OutgoingMailServerHostName smtp.intro.linkedin.com OutgoingMailServerPortNumber 587