LinkedIn stood up for its new Intro app for iOS by providing some high-level transparency into how it handles communication between devices and its network, and took time to call initial criticism of the app inaccurate and speculative.
In the meantime, one security researcher posted details online of how he was able to spoof the profile information LinkedIn drops into the iOS Mail app and the relative ease with which this facilitates a phishing attack.
Intro arrived last Wednesday and immediately security experts voiced concern over the integrated service’s behavior, in particular how it sits as a proxy between the native iOS Mail client and your email provider. All IMAP and SMTP messages are routed to and from LinkedIn’s servers and an Intro bar is inserted into every message. The bar is essentially a shortcut to the sender’s LinkedIn profile, and includes their profile picture and a dropdown with additional information about the person and links back to their profile.
Bishop Fox, a security consultancy in San Francisco, posted a lengthy warning about Intro, pointing out that the app likely violates corporate email policy, breaks cryptographic signatures and creates a central collection point for government surveillance.
“Most of your end users aren’t going to understand the impact of these changes, nor will they know how to reverse them if they wanted to do so,” Bishop Fox analysts Vinnie Liu and Carl Livitt said. “You are effectively putting your trust in LinkedIn to manage your users’ device security.”
Bishop Fox also asserted that Intro installs a new security profile onto the Apple device in order to re-route email messages through LinkedIn. They warn that the insertion of a new security profile could enable an attacker to install or delete apps, restrict functionality on the phone or even wipe it clean.
LinkedIn senior manager for information security Cory Scott said Intro does not change the device’s security profile as Bishop Fox suggests.
“We worked to help ensure that the impact of the iOS profile is not obtrusive to the member,” Scott wrote in a blogpost on Saturday. “It’s important to note that we simply add an email account that communicates with Intro. The profile also sets up a certificate to communicate with the Intro Web endpoint through a Web shortcut on the device.”
Scott also said Intro is isolated onto a separate network segment, services were hardened reducing exposure to third-party monitoring and tracking, and that every line of credential hardening and mail parsing/insertion code was reviewed by security consultancy iSEC Partners and pen-tested by LinkedIn’s internal analysts.
In addition, Scott confirmed that SSL/TLS is used to encrypt communication between the device, LinkedIn and the email provider.
“When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form,” Scott said. “And once the user has retrieved the mail, the encrypted content is deleted from our systems.”
None of that, however, deterred security researcher Jordan Wright, a security engineer at CoNetrix, from managing to spoof Intro profile information inserted into a Mail client message.
Wright posted some details on his blog. He started by intercepting the security profile sent to an Apple device that installs the new email account acting as a proxy that sits between LinkedIn’s IMAP and SMTP servers. From the profile, he was able to recover the username and password used to log into LinkedIn’s services. Using that information, he was able to see the content LinkedIn’s IMAP proxy injects into an email and ultimately hide the existing Intro data in favor of spoofed data he injected into the message.
He demonstrates a harmless example online, yet an attacker could inject links to malicious sites or apps.
“While LinkedIn Intro seems like it would be useful on the surface, the security risks of using it are simply too high,” Wright said.