Monday, October 28, 2013

LinkedIn’s New Mobile App Called ‘a Dream for Attackers’

OCTOBER 24, 2013, 8:03 PM


Security researchers are calling LinkedIn’s new mobile app, Intro, a dream come true for hackers or intelligence agencies.
“I’m flabbergasted by this,” Richard Bejtlich, the chief research officer at the computer security company Mandiant, said in an interview on Wednesday. “I can’t believe someone thought this was a good idea.”
Intro is an e-mail plug-in for iOS users that pulls LinkedIn profile information into e-mails so that the sender’s job title appears front-and-center in e-mails on a user’s iPhone or iPad.
Some bloggers have hailed it as a smart play by LinkedIn to get more mobile action and to get users to stop thinking of the service as a static Web site they go to every couple of years to update their employment status.
But security researchers have taken issue with the way the app works. Intro redirects e-mail traffic to and from users’ iPhones and iPads through LinkedIn’s servers, then analyzes and scrapes those e-mails for relevant data and adds pertinent LinkedIn details.
Researchers liken that redirection to a so-called man-in-the-middle attack in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it.
Iranian hackers used that tactic to intercept dissidents’ Gmail accounts in 2011, by hacking into DigiNotar, a Dutch certificate authority. The National Security Agency is accused of using man-in-the-middle attack tactics to snoop on Google traffic, according to recent revelations by Edward Snowden.
Security researchers say LinkedIn essentially does the same thing in the name of a new mobile feature.
” ‘But that sounds like a man-in-the-middle attack!” I hear you cry,’ ” Bishop Fox, a security consulting group wrote in a blog post. “Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing.”
LinkedIn has responded to some of those concerns in an amended blog post Thursday. The company notes that customers have to opt in to the app and that, once they do, their e-mail is encrypted to and from LinkedIn’s servers. The company also notes that LinkedIn does not store any e-mail on its servers.
But researchers note that in order for LinkedIn to stick changes into an e-mail, they have to decrypt it and then encrypt it again en route to its recipient, adding a new layer of insecurity to e-mail in transit.
“I worry LinkedIn is not going to treat this as the holy grail for people’s e-mail, even though it is,” said Mr. Bejtlich. “The risk is that you essentially trust a box, run by LinkedIn, with your e-mail. It’s a target for someone that wants to get to your e-mail. All the fears people now have about e-mail — that they will be intercepted by intelligence agencies for instance — are present.”
LinkedIn has not had the best security profile. After the service was hacked last year, six million user passwords popped up on a Russian message board, revealing that the company used only bare basic security protocols. And last month, the company became the target of a class-action suit by users who said it was improperly accessing their data.
Bishop Fox, the security consulting firm, called the app “a dream for attackers” and enumerated specific concerns in a blog post. Among them: By giving LinkedIn access to their e-mails, users may be waiving their rights to attorney-client privilege. The consultancy also warned users that by opting into Intro, they may be “in gross violation” of their employer’s security policies.
“I don’t think people who use this are seriously thinking about the implications of LinkedIn seeing and changing their e-mail,” notes Mr. Bejtlich. “These changes are done in the name of a feature, or speed, but it just completely breaks the idea that e-mail traffic is going where it should go and no place else.”
 

No comments:

Post a Comment