LinkedIn's New Mobile App Called 'a Dream For Attackers'

An anonymous reader writes with a link to the New York Times' summary of a security and privacy disaster that's been inspiring angry posts on various social networks, including LinkedIn itself: "Security researchers are calling LinkedIn's new mobile app, Intro, a dream come true for hackers or intelligence agencies... Intro redirects e-mail traffic to and from users' iPhones and iPads through LinkedIn's servers, then analyzes and scrapes those e-mails for relevant data and adds pertinent LinkedIn details... Researchers liken that redirection to a so-called man-in-the-middle attack in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it."

Who cares.

[kurt555gs]

I have had a Linkedin account forever. I never even go there any more. I've never met any women on Linkedin, so I find it totally useless.

Re:Who cares.

[Wycliffe]

Exactly. Nobody I know ever uses it for anything *but* that.

Especially in certain parts of the IT industry. Keeping track of the ridiculous number of people you work with is impossible. Having a nice list - even if it spams your inbox with recruitment crap while you're not actively seeking employment opportunities - is a damned handy thing to have if you find yourself in a position to actually need to look for a job.

I'm not for sure why any employer or anyone else trusts or cares about linkedin especially in the IT field.
Most of the people on my linkedin profile who have vouched for my computer knowledge know nothing about
computers. They've said I'm an expert at java, php, and any other language that linkedin suggests even
if I know absolutely nothing about said language. To them it's all the same and it makes my linkedin profile
utterly useless as I'm ranked higher in languages I don't know than I am in languages I actually do.

Re:Who cares.

[SternisheFan]

Are you shitting us? I know people have a compulsion to link-in with everyone, but a corporate mandate?

A few years ago I 'tried' to apply for a job for a local company. Sent my resume to them in a plain text email, which wasn't good enough, they replied, I need send it through LinkedIn. "WTF is LinkedIn?", I thought. Got part of the way through the signup process before realizing that this site wants an awful lot of personal information from me, and I canceled out before sending any info. Called the company saying that I live nearby and could just drop off my printed resume to them, still wasn't acceptable, they needed any applications to be done only via LinkedIn, that ended that job search. Knowing more and moew about LinkedIn today makes me grateful I don't have an account with them.

A decade or more ago the internet was so full of promise for "Better living through technology", nowadays it seems so damn invasive in so many ways I'm wondering whether using todays tech is worth the price. I'm starting to see why more and more people are "pulling the technology plug" out and living a simpler, no tech life. I'm seriously considering doing just that myself one day. It's gotten less and less attractive to me.

Why is anyone surprised?

It amazes me that people still don't understand that social networks don't exist to provide services to users.... they exist to turn users into products that can be sold.

They are going to keep getting more invasive as they figure out new ways to screw you over for a profit.

Re:Why is anyone surprised?

[fuzzyfuzzyfungus]

I'm not surprised ('social networks' in general make you the product, linkedin has always been a touch sleazy, especially for an ostensibly 'professional' site that could theoretically be making its money on the semi up-and-up by offering useful recruiting services); but I am fucking shocked at just what a clusterfuck this particular app is.

So, you install the 'app'. It applies an iOS configuration profile to your phone. those can do rather a lot... In this case (so far) what it does is set up an MiTM that routes all your email through their servers, and dynamically rewrites it to add content of their choice to messages.

It's totally normal for 'social networks' to own you like livestock in everything you do on that network; but reaching out and grabbing all 3rd party email (Oh, man, are some corporate IT/Security people going to be spitting napalm about this one...) that passes through your handset, and including that? Ballsy. Really, really, ballsy. Makes the old "Hey, let's grab their entire contact list!" sleaze-scheme look like amateur hour.

Re:Why is anyone surprised?

[immaterial]

Informative summary; in case anyone cares LinkedIn's official explanation is here: http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios

Re:Why is anyone surprised?

[icebike]

Pretty smug and self congratulatory.
Everyone make sure you put Martin Kleppmann on your DO NOT HIRE list.

I hope Apple steps up and kicks them out of the App Store.

Re:Why is anyone surprised?

[fuzzyfuzzyfungus]

It is admittedly a cute hack (presented in a smarmy tone); but the sheer tone-deafness and unwillingness or inability to recognize that you are proposing to subject potentially-hundreds-of-thousands of people's private information to your cute hack is sickening.

That's what really gets me: If this were random geek giving a little chat about 'stupid IMAP regex tricks; the closest thing to greasemonkey for iOS mail!' and showing off an architecturally similar system for on-the-fly-rewrites of mail to add useful hooks to present features absent in the client, it'd be clever and endearing. But that isn't the game we are playing here. This is a slick, weaponized, weasel-worded-for-wide-deployment dangerous toy we are talking about here.

Either he knows that, and just doesn't give a fuck (in which case he is somewhere beneath contempt and heading further down), or he's dangerously myopic to an almost unbelievable degree.

Re:Why is anyone surprised?

[fuzzyfuzzyfungus]

"All communication from the Mail app to the LinkedIn Intro servers is fully encrypted. Likewise, all communication from the LinkedIn Intro servers to your email provider (e.g. Gmail or Yahoo! Mail) is fully encrypted."

And all (transient) storage of the data being communicated while they are on the LinkedIn servers?

Hmm... Didn't think so.

Also worth noting: In their 'Pledge of Privacy'(which may change from time to time, to 'clarify' things) they have an adorable little elision...

"Do you read my email?

In order to provide the Intro service, the servers use software to extract information from each message: for example, the sender's email address is extracted, so that the servers can search for their LinkedIn profile to include in the message."

Well, ok, the system obviously wouldn't work if it didn't parse the email, right?

"Do you store my email or my password?

During usage, the servers may temporarily cache your emails in order to make emails download faster. When your device starts to download a mail folder, such as your inbox, the servers will pre-emptively download and cache recent messages in that folder. A few seconds later, when your device downloads the individual messages, the servers will provide the cached messages. Your messages are only cached until your device downloads them, and never for more than 1 hour. Typically, your messages are cached for no more than a few minutes."

Well, ok, fast downloads are good, and temporary cache is temporary, so you totally aren't building a giant dossier of all my email, whew.

Now... " the servers use software to extract information from each message". Hmm... it doesn't say a thing about the storage, use, retention, or anything else of that 'extracted information'. Nor (aside from giving the one example that is architecturally necessary, and thus trivial), does it provide any detail about what information is extracted. So, in fact, the only thing I know is that they say that a literal copy of my email is not being stored (Maybe they only store my metadata, like the NSA?) Maybe they store any substrings that match a set of keywords? Who knows? Not you or me.

Re:Why is anyone surprised?

[dcollins]

Nice link. Fascinating how they cream themselves for 2,000 words on the technical challenges they overcame to break into a system not meant for that, but only 3 short sentences that privacy is fine, they're serious, see this link. (At least until uproar made them add the italicized part at the end.) Very telling.

Re:Umm...

[immaterial]

You have to allow their app to install a configuration profile that sets up iOS's Mail app to get your email through LinkedIn's proxy server; then LinkedIn can read your email and inject relevant code directly into the message before it hits the mail client: http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios *barf*

They dump your address book, so I'm not surprised

The only thing I'm not surprised about is that this company hasn't been sued or hacked into the oblivion.

I have a private email address. Only friends and family know about it. I don't use it to sign up for anything on the internet, I have other addresses for that. This particular address is the one I give out to people who might need to pull down a direct line of communication to me, wherever I am on the planet, assuming I have cellular and data connectivity. I also know precisely who has this address, and they are well aware that they're not to give it out to other people without my consent.

One day I started getting spam from these LinkedIn assholes. The kind of spam that never stops, and just keeps badgering you to reply to it or click some stupid fucking button. If you want to "unsubscribe" from their awesome service, you have to go to a fucking website and enter in your email address. What the hell?

Anyways, the person who's account started badgering me to confirm I know them... Never actually gave my email address to LinkedIn. He knew how much I despise modern day social networking and I trust him when he says he would never sign me up for something without my prior permission (why he would ever have a reason to sign me up for anything was beyond the both of us). Yet, there I was- getting spam from LinkedIn irregardless, with no way to stop it except to go to their idiot website and enter in my friggin' email address.

The only conclusion that we could come to was that they leeched it from his phone or laptop *somehow*, because those were the only two places where my super private email address were being held. We later found out that a lot of other people on those address books started getting LinkedIn spam as well, so somehow, LinkedIn basically dumped his entire address book without his permission and started spamming everyone on it.

As far as I'm concerned, LinkedIn can fuck off and go rot in hell. I told myself the next time they spammed me I'd start mailing C&D letters, because I'm sick and tired of having to unsubscribe from their bullshit pestering service every 3 months that I clearly did not sign up for (and if their EULA somehow makes it OK for them to spam me because my friend clicked OK, well, I'd be more then happy to take these fuckers to court over that).

Re:Umm...

[icebike]

It is possible. Read what they say on their own web page:

Once we got the IMAP proxy working, we were faced with another problem: how do we configure a device to use the proxy? We cannot expect users to manually enter IMAP and SMTP hostnames, choose the correct TLS settings, etc — it’s too tedious and error-prone.
Fortunately, Apple provides a friendly way of setting up email accounts by using configuration profiles — a facility that is often used in enterprise deployments of iOS devices. Using this technique, we can simply ask the user for their email address and password, autodiscover the email provider settings, and send a configuration profile to the device. The user just needs to tap “ok” a few times, and then they have a new mail account.

The users have no idea why they are clicking OK, but once its done it works so they ask no questions.
After all, they are Linkedin users, so they automatically aren't too bright.

How is this different from Gmail?

[markjhood2003]

I'm not trying to troll here, but not being a Gmail user, I'm not sure how LinkedIn's scraping of email is any different than Google scraping it for advertising services. I understand that technically LinkedIn is acting as a proxy, and Google as an ISP, but how is the result any different?

Re:How is this different from Gmail?

[icebike]

Google advertises to ME. They don't grab my contacts and send email to them.

Further, if you use a non-web client to read your gmail, you never even see the
ads that they target toward you.

I chose Gmail as my mail handler, knowing full well the rules of the game.
People who use Linkedin had no understanding that they were appointing them as their mail handler.

Time for Apple to Step Up

[Hangtime]

I'm calling on Apple to kick 3rd party applications out of the ability to make a configuration like this. This appears to be a significant security threat to the iOS platform and should be treated as such. Applications should not be able to do this on their own and as we have seen with LinkedIn, it can lead to no good.

For those sysadmins who would like to block this from occurring within their network or on their devices this was taken from Reddit. See the IMAP and SMTP configuration below and block it at the firewall.

IMAP: imap.intro.linkedin.com
SMTP: smtp.intro.linkedin.com
From the Apple configuration profile:
IncomingMailServerHostName imap.intro.linkedin.com IncomingMailServerPortNumber 143 .... OutgoingMailServerHostName smtp.intro.linkedin.com OutgoingMailServerPortNumber 587