OFFICIAL SECURITY BLOG
October 30, 2013 | BY Armando Orozco
LinkedIn recently launched Intro, an iOS app that integrates LinkedIn’s profiles with the iOS mail app, where all incoming emails will display the senders’ LinkedIn profile.
Sounds very useful, especially if you’re looking to grow your network of professional connections. What’s causing a bit of a stir is how it’s implemented and the potential for security holes.
Apple’s walled garden presented challenges to LinkedIn and they couldn’t create a plug-in to work along the iOS mail client. They had to think outside the box and came up with a way to filter email using a proxy server, add their content, and send the email on its way.
What the proxy does is add content to the email message, LinkedIn calls the “top bar”, this bar contains the LinkedIn data where you’ll see a brief overview of the sender and can connect with if you like.
Pretty clever, but is giving another company access to our email content a good idea? Security researcher Bishop Fox outlines a number of things in a blog warning about Intro, such as potentially storing email content and LinkedIn’s own security being breached last year.
Information is money and I can see where LinkedIn is going with this, but I also see how the bad guys could target this—phishing, exploiting this very proxying method—maybe a way to target Apple users.
I don’t think LinkedIn is up to anything sketchy here. They are aware of the security concerns and taking them seriously, but if you are using Intro it might be worthwhile to consider what email accounts you have linked to it and what information is shared.
Rethinking the tools we use is acceptable when we give them access to our confidential data, so we have another app here to scratch our head about.