Skip to main content

LinkedIn Intro called 'a dream for attackers' by security researchers

LinkedIn Intro called 'a dream for attackers' by security researchers


New email service raises privacy concerns

Share this story

Linkedin intro google auth
Linkedin intro google auth

LinkedIn's Intro, an ambitious service that inserts LinkedIn profile information into your iOS emails, has been slammed by security researchers. As The New York Times reports, several researchers have spoken out against Intro, likening it to a "man-in-the-middle attack." The concerns arise from how LinkedIn adds profile information to your email. Essentially, when signing up for the service you authorize LinkedIn to scan your emails. When its server detects a person with a LinkedIn profile, it adds in data to your email and sends it to you. It's a neat trick, but it also means that a third party is scanning all your emails.

In a lengthy blog post, security firm Bishop Fox describes Intro as "a dream for attackers," a viewpoint shared by Richard Bejtlich, a researcher at Mandiant that The New York Times interviewed for its report. "I don't think people who use this are seriously thinking about the implication of LinkedIn seeing and changing their email," Bejtlich tells the paper. "It just completely breaks the idea that email traffic is going where it should go and no place else."

LinkedIn had a major security breach last year

Both Bishop Fox and the NYT also raise an important point: last year, LinkedIn fell victim to perhaps the most public username and password theft in recent history. The company saw 6.4 million user accounts compromised, and it was established that the professional social network had not followed best practices when securing users' data. With privacy and security high on the public agenda following this year's NSA leaks, several researchers have raised the point that Intro makes LinkedIn a big target for government surveillance.

All data to and from your device is encrypted

There's a parallel to be drawn with LinkedIn's system, and it's one that many mobile users have benefitted from. Mobile browsers like Opera, and more recently Google Chrome, offer services that compress your browsing data. That's done by passing your data through the companies' servers before it's sent to you. Such services have also come under fire for posing a possible security issue, though they remain available. Of course, your email is private, personal, and very different from your general web browsing, but it's worth noting that LinkedIn Intro is making similar claims in regards to security. The social network says all data is encrypted to and from your device, and that your passwords, email contents, and security tokens are stored on your iPhone rather than LinkedIn's servers.