The devil is in the details

LINKEDIN just gave its users another reason to ensure their resumes are up to date. The online professional network has introduced a mobile feature that shows information about people's careers in emails being read on iPhones.

The feature released Wednesday works with Gmail, Yahoo Mail, AOL Mail and Apple Inc.'s iCloud when any of them are plugged into the iPhone's built-in email app. LinkedIn plans to update the feature so it also works with Microsoft Outlook.com and Exchange email. It's available at https://intro.linkedin.com/

So how exactly does LinkedIn display a users LinkedIn profile when viewing an email from them in iOS's Mail app?

IT USES AN IMAP PROXY TO INJECT HTML INTO THE USERS EMAIL . Read that again.

Employees can route all of their email through a IMAP proxy, after providing LinkedIn with their email credentials, under LinkedIn's control.  Not only is a massive personal privacy violation, granted it is done with the user kind of knowing what they are getting into (opt-in), but it also is a bigger enterprise issue.

Any internal and sensitive business information circulated to staff can be read by LinkedIn or anyone with access to their proxies. Moreover, an employees email credentials may be the same for enterprise applications (VPN, RDP) allowing potential intrusions.

LinkedIn may have 'good intentions' but that doesn't matter. Someone could access those proxies and read the information or worse get access to the stored credentials for those email services. From there the third-party can go to town. 

To make a bad situation worse the supplied article appears to be a press release. Absolutely no research or concerns about the potential privacy and security risks.

The author? AAP Staff Writers.


Moreover… 

LinkedIn's Engineering blog has a post talking about how they built LinkedIn Intro. Here's one thing that concerns me:

  • Whole article: ~1,509 words
  • Words talking about security & privacy: 55 words.