Pages

Friday, 25 October 2013

LinkedIn's new mobile app called 'A dream for attackers'

linkedin-buliding-ap-635.jpg
Security researchers are calling LinkedIn's new mobile app, Intro, a dream come true for hackers or intelligence agencies.
"I'm flabbergasted by this," Richard Bejtlich, the chief research officer at the computer security company Mandiant, said in an interview Wednesday. "I can't believe someone thought this was a good idea."
Intro is an email plug-in for iOS users that pulls LinkedIn profile information into emails so that the sender's job title appears front-and-center in emails on a user's iPhone or iPad.
Some bloggers have hailed it as a smart play by LinkedIn to get more mobile action and to get users to stop thinking of the service as a static website they visit every couple of years to update their employment status.
But security researchers have taken issue with the way the app works. Intro redirects email traffic to and from users' iPhones and iPads through LinkedIn's servers, then analyzes and scrapes those emails for relevant data and adds pertinent LinkedIn details.
Researchers liken that redirection to a "man-in-the-middle attack" in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it.
Iranian hackers used that tactic to intercept dissidents' Gmail accounts in 2011, by hacking into DigiNotar, a Dutch certificate authority. The National Security Agency is accused of using such tactics to snoop on Google traffic, according to recent revelations by Edward Snowden.
Security researchers say LinkedIn essentially does the same thing in the name of a new mobile feature.
"'But that sounds like a man-in-the-middle attack!' I hear you cry," Bishop Fox, a security consulting group, wrote in a blog post. "Yes. Yes it does. Because it is. That's exactly what it is. And this is a bad thing. If your employees are checking their company email, it's an especially bad thing."
LinkedIn has responded to some of those concerns in an amended blog post Thursday. The company notes that customers must opt in to the app and that, once they do, their email is encrypted to and from LinkedIn's servers. The company also notes that LinkedIn does not store any email on its servers.
But researchers note that, in order for LinkedIn to stick changes into an email, they must decrypt it and then encrypt it again en route to its recipient, adding a new layer of insecurity to email in transit.
"I worry LinkedIn is not going to treat this as the holy grail for people's email, even though it is," Bejtlich said. "The risk is that you essentially trust a box, run by LinkedIn, with your email. It's a target for someone that wants to get to your email. All the fears people now have about email - that they will be intercepted by intelligence agencies for instance - are present."
LinkedIn has not had the best security profile. After the service was hacked last year, 6 million user passwords popped up on a Russian message board, revealing that the company used only bare basic security protocols. And last month, the company became the target of a class-action suit by users who said it was improperly accessing their data.
Bishop Fox, the security consulting firm, called the app "a dream for attackers" and enumerated specific concerns in a blog post. Among them: By giving LinkedIn access to their emails, users may be waiving their rights to attorney-client privilege. The consultancy also warned users that, by opting into Intro, they may be "in gross violation" of their employer's security policies.
"I don't think people who use this are seriously thinking about the implications of LinkedIn seeing and changing their email," Bejtlich noted. "These changes are done in the name of a feature, or speed, but it just completely breaks the idea that email traffic is going where it should go and no place else."

No comments:

Post a Comment