LinkedIn Intro App Equivalent to Man in the Middle Attack, Experts Say

LinkedIn’s release of its Intro app yesterday for Apple iOS mobile devices raised more than a few eyebrows for behaviors that are tantamount to a man-in-the-middle attack, experts said.

This is one introduction you may not want to make.

LinkedIn’s release of its Intro app yesterday for Apple iOS mobile devices raised more than a few eyebrows for behaviors that are causing security experts to worry.

Intro is an integrated service that works hand-in-hand with the Apple Mail app native to iPhones and iPads. The service embeds LinkedIn profile information into every message, despite the fact that Apple maintains a notoriously strict walled garden around its products, meaning no plug-ins for its native apps, for example.

LinkedIn managed to go around this by having Intro act as a proxy server sitting between your email provider and the native Mail client; all IMAP and SMTP messages are routed through LinkedIn servers on their way to and from an email provider. LinkedIn says Intro doesn’t store email messages, instead it forwards requests from an iOS device to the email provider and does the same with responses from the provider to the device. In the meantime, each message gets an Intro bar inserted into it with a photo of the sender and a dropdown of more information from their LinkedIn profile.

The potential for security exposures and privacy violations is almost limitless, security experts said, citing concerns over corporate email policy violations, broken cryptographic signatures and the creation of a central collection point for government surveillance efforts.

“Intro works by pushing a security profile to your device; they’re not just installing the Intro app. They have to do this in order to re-route your emails,” wrote Bishop Fox analysts Vinnie Liu and Carl Livitt in a blogpost. “But, these security profiles can do much, much more than just redirect your emails to different servers. A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things.

“Most of your end users aren’t going to understand the impact of these changes, nor will they know how to reverse them if they wanted to do so,” Liu and Livitt said. “You are effectively putting your trust in LinkedIn to manage your users’ device security.”

LinkedIn says it will cache email passwords for the length of time it takes to install the Intro app, and never more than two hours. “Typically, your password is cached for no more than one minute,” LinkedIn said in a privacy pledge posted on its website.

“While the implementation is an interesting solution to a limitation, it introduces too much risk for anyone to use even with the pledge of privacy,” said Michael Yuen, security researcher at application security company Cenzic. “It is not LinkedIn that I worry about, but malicious attackers that want to take advantage of the weakness in security that the proxy creates.”

As for storing messages, or message metadata, LinkedIn said its servers may cache emails in order to have them download faster.

“All cached information is held securely to industry standards,” LinkedIn said. “Each piece of data is encrypted with a key that is unique to you and your device, and the servers themselves are secured and monitored 24/7 to prevent any unauthorized access.”

The fact that LinkedIn is adding data to each message, changing the content and structure of each message, experts worry, will impact the security of the message.

“Cryptographic signatures will break because LinkedIn is rewriting your outgoing emails by appending a signature on the end,” Liu and Livitt wrote. “This means email signatures can no longer be verified. Encrypted emails are likely to break because of the same reason—extra data being appended to your messages.”

LinkedIn suffered a breach in June 2012 when a hacker was able to download the hashed passwords of 6.5 million of its 238 million members. The hashes were posted to a Russian underground forum and some of the stolen credentials were compromised, the company admitted. Further, it urged users to change their password and said it would also begin salting passwords, in addition to hashing them.

In September of this year, LinkedIn made a plea not only to the Foreign Intelligence Surveillance Court, but the FBI as well expressing its desire to share more information on the number of National Security Letters it received, calling a ban on sharing NSL data unconstitutional. Companies are allowed to report the number of NSL requests they receive in bunches of 1,000, something companies such as LinkedIn, Facebook and others say reduces transparency.

In LinkedIn’s most recent transparency report, it said it fielded 83 law enforcement and government requests for member data during the first half of 2013, 70 of those from the United States; LinkedIn provided data in 57 percent of those cases in the U.S.

Suggested articles