LinkedIn hits back at claims of Intro email service's security risks

Linkedin Pen

Plans by the business network LinkedIn to "enhance" users' email on iPhones by adding detail via a proxy server have been criticised as a security risk, but the company says such fears are "purely speculative".

The company outlined its plans in a blogpost, describing how its new "Intro" service filters email through a LinkedIn server before sending it onto the user, identifying LinkedIn users and injecting their details into the emails through a new interactive box that appears at the top of each email.

“I'm sure the engineers who developed Intro are patting themselves on the back about how clever they have been – but it has ghastly implications,” claimed independent security expert Graham Cluley in a blog post.

"I'm not suggesting that they have created LinkedIn Intro with any malicious intentions (unless you consider them injecting an advertisement for their brand in every email malicious), but clearly security is not part of the website's DNA – and that troubles me."

‘A middleman for all their emails’

In order to inject the Intro service into the top of a user’s email, the LinkedIn servers require full access to their email account, connecting directly with the user’s email servers and then forwarding the modified email to the iPhone through the use of a custom security profile users install on their iPhones.

“I cannot imagine any security-conscious firm being comfortable with its employees handing LinkedIn access to its emails – it just introduces another link in the privacy chain which could be potentially exploited,” wrote Cluley.

LinkedIn has responded to the criticism in a blogpost of its own from information security manager Cory Scott promising to "address inaccurate assertions" made about Intro. "Many things have been said about the product implementation that are not correct or are purely speculative, so this post is intended to clear up these inaccuracies and misperceptions," wrote Scott.

"When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios."

Scott described how the company employed SSL encryption during the email transit between servers, isolated the Intro systems from the rest of LinkedIn’s networks, and employed security firm iSEC Partners to test the security of the system prior to launch.

Despite those assurances, security fears still exist, especially given an incident in which users' passwords were compromised last year. "Does anyone really want LinkedIn – of all companies – to act as a middleman for all of their emails?” asked Cluely.

Putting faces to names breeds a phishing risk

Based on technology acquired by LinkedIn through its purchase of email company Rapportive in 2012, Rahul Vohra described the Intro service as “everything you need to put faces to names”.

Cluley is not the only person questioning Intro's potential for security risks. Jordan Wright, an engineer at security firm CoNetrix, published his own blogpost criticising the new feature on the grounds that its injection of names and faces from LinkedIn's network could provide a false sense of security that is ripe for exploitation by "phishing" emails.

“While Linkedin Intro seems like it would be useful on the surface – the security risks of using it are simply too high,” wrote Wright, before suggesting that "by giving users a false sense of security when they see the Intro information in an email” LinkedIn has made it possible to create highly realistic phishing emails, increasing the likelihood that unsuspecting users could fall for malicious social engineering.

All email received passes through LinkedIn's servers

The Intro service is also has implications for data privacy, even for those who aren’t directly using the service as all email received by an Intro user will pass through LinkedIn’s servers.

“It galls me to think that any email I send to someone who signs up for this service, will now be sharing my private correspondence with LinkedIn as well,” said Cluley.

However, LinkedIn's Scott maintained that the service will use its existing pledge of privacy and privacy policy to govern its handling of data harvested by its new feature.

"After having been a member of the security community for more than 15 years, I understand that healthy scepticism and speculation towards worst-case scenarios are an important part of the security discipline; however, we felt, in this case, it was necessary to correct the misperceptions," he wrote.

"We welcome and encourage an open dialogue about the risks that are present in all internet-based services that handle electronic mail and other sensitive data."

• In June 2012, LinkedIn suffered two security breaches, one of which was self inflicted, that saw user data including account passwords posted on the internet by hackers

Powered by article was written by Samuel Gibbs, for on Monday 28th October 2013 15.35 Europe/London © Guardian News and Media Limited 2010


image: © Sheila Scarborough