Security experts denouncing LinkedIn’s new email application over privacy concerns are merely raising false alarm, so says the social network’s information security manager. But most security old pros seem to be voicing the same opinion: LinkedIn Intro is insecure.
Intro was introduced last week for iPhone users. The application is designed to channel an email through LinkedIn’s server before it goes straight to the recipient, operating much like a benign man-in-the-middle attack. The professional social networking site intends for the middle link to analyze emails and create additional profile information to be tagged on the message when it reaches the recipient’s inbox. In so doing, the Intro server also stores email data for a short while in an encrypted form and then removes those data from its system when the recipient receives the email.
LinkedIn briefly describes the aim for the new service, thus:
“When people email you, we show you their LinkedIn profile: you can put faces to names, write more effective emails, and establish rapport. You can grow your professional network by connecting with them on LinkedIn.”
Is Intro Safe for Users?
What may look protected to LinkedIn Information Security Manager Cory Scott appears rather vulnerable to some security researchers.
In security firm Bishop Fox’s own piece of assessment, for example, Intro exposes sensitive data to malicious third parties that could maneuver the middle link system to their advantage.
Bishop Fox describes what a security profile can do:
“These security profiles can do much, much more than just redirect your emails to different servers. A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things.”
Scott slightly agrees that it could be possible, given the unpredictable behavior of threat landscape. He continues to believe, however, that Intro is built with the most secure implementation possible. Scott says the LinkedIn team has analyzed every possible way a hacker could exploit the Intro server and built the necessary security parameters to fend off any form of attacks and protect the users’ data. In other words, the company tapped the expertise of internal and external security professionals who have put Intro through acid tests in order to gauge how far the system could counter cyber threats.
Still Vulnerable to Threats
Moreover, the server is part of LinkedIn’s own network, thus a slim chance for third-party services to gain full access to it, the company says. That is acceptable, except that LinkedIn’s own system is not as impervious to compromise. It can be recalled that LinkedIn fell prey to a security breach in 2012. If it happened to the company’s network itself, what could prevent it from befalling its sub-systems?