LinkedIn 'Intro'duces Insecurity
by Bishop Fox, on Oct 23, 2013 10:16:22 AM
Don't make the mistake of thinking you're [the] customer, you're not – you're the product.
– Bruce Schneier
LinkedIn released a new product today called Intro. They call it “doing the impossible”, but some might call it “hijacking email”. Why do we say this? Consider the following:
Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers. You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn's servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like.
"But that sounds like a man-in-the-middle attack!" I hear you cry. Yes. Yes it does. Because it is. That's exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing.
Why is this so bad? Here's a list of 10 reasons to start:
1. Attorney-client privilege.
You use your email to stay in touch with everyone in your life from your family to your friends to your business associates. And you may exchange particularly sensitive messages with certain people like your lawyer, doctor, psychotherapist, or spiritual advisor. These communications are generally legally privileged and can’t be used as evidence in court – but only if you keep the messages confidential.
“If you let a third party have access to your privileged email, you could be waiving important legal protections,”
-Marcia Hofmann, Attorney and former senior staff attorney at the EFF
To be certain if you’re concerned about the legal effect of letting LinkedIn have unfettered access to your email, you should check with your counsel…on a system that doesn’t have Intro installed.
2. By default, LinkedIn changes the content of your emails.
Be aware that outgoing emails receive an additional signature. Incoming emails receive additional LinkedIn profile data. The introduction of new data sources into a medium rife with security issues such as email is a dream for attackers. We’re curious how long until someone finds an innovative way to phish through Intro.
3. Intro breaks secure email.
Cryptographic signatures will break because LinkedIn is rewriting your outgoing emails by appending a signature on the end. This means email signatures can no longer be verified.
Encrypted emails are likely to break because of the same reason – extra data being appended to your messages.
If you forward an email to someone else, the LinkedIn profile data stays in the email. What if you don’t want it to? What if they don’t want you to and it pisses them off?
4. LinkedIn got owned.
This happened last year, and estimates of 6.5 million usernames and hashed passwords were leaked to a Russian message board. They were using unsalted hashed passwords, which is a terrible design decision. LinkedIn has a documented history of insecure design practice. So as anybody who has ever assessed a vendor would want to know:
a. Who did the security review of the Intro app?
b. Are there outstanding security vulnerabilities?
c. Can we see a copy of a Letter of Assessment?
5. LinkedIn is storing your email communications.
It’s metadata, or so they claim. In particular, the list of people with whom you communicated is saved because “If you are not connected with the person on LinkedIn, we may later suggest them as a connection on the LinkedIn website and in our other mobile apps.”
Think about it this way. A vendor tells you they will install a device on your network that monitors all your email so they can insert their data into your emails. They’ll do this for free – except they want to have unfettered access to all your emails and mine them for information about your users. They don’t say what exactly they would store from each email, but just trust them to do the right thing.
6. LinkedIn is changing your device’s security profile.
Intro works by pushing a security profile to your device; they’re not just installing the Intro app. They have to do this in order to re-route your emails. But, these security profiles can do much, much more than just redirect your emails to different servers. A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things.
Most of your end users aren’t going to understand the impact of these changes, nor will they know how to reserve them if they wanted to do so. You are effectively putting your trust in LinkedIn to manage your users’ device security.
7. It’s probably a gross violation of your company’s security policy.
If your company’s policy (e.g. security, confidentiality, data classification, email) has anything about not disclosing sensitive data, it more likely says something like “Do not share sensitive data with third-parties.”
You’re probably violating that by installing Intro.
8. If I were the NSA…
…and I hear everyone’s mobile phones were routing their emails through LinkedIn…well I know where I’m having my next birthday party.
9. It’s not what they say, but what they don’t say
“Does LinkedIn Intro disclose information to anyone else?” the answer is not “No.” It is “We will never sell, rent, or give away private data about you or your contacts.”
The astute reader must ask themselves:
How do you determine what is “private”?
What is considered “not private”?
Who makes the judgment call?
Are you agreeing not to misuse “private data about [me]” as in the content of my emails or my LinkedIn profile information?
Are you agreeing not to misuse “[my] contacts” as in my contact list or “private data about…[my] contacts” such as the content of our communications?
The better question perhaps is, “How does LinkedIn know what you consider private?” I suspect the answer is that they don’t.
10. Too many secrets
There are unanswered technical questions, too. Do the LinkedIn Intro servers mandate the use of SSL/TLS for all traffic? Does the Intro app redirect all of the accounts on your phone, or just one that you nominate? Can you opt out of the man-in-the-middle attack feature?
There’s a lot to consider and I’m sure others will think of more implications. For the time being, Intro is banned from Bishop Fox devices until we know more about it. And at the time of this writing, our recommendation is:
Don’t introduce Intro into your environment.