The Hacker News Logo
Subscribe to Newsletter

'LinkedIn Intro' iOS app can read your emails in iPhone

Your LinkedIn profile is your digital resume. Yesterday, LinkedIn launched a new app for for iOS devices called Intro 'LinkedIn Intro'. With this feature an email on your iPhone will display a picture of the sender, with useful profile info from LinkedIn.

Basically, to use the service, a LinkedIn user must route all of their emails (any provider i.e. Hotmail, Gmail, Yahoo, etc.) through LinkedIn's 'Intro' servers, which will inject fancy business centric HTML profile right in your emails, as shown.
But this also means that LinkedIn is now able to read the complete content of your emails and also can store the passwords to users' external email accounts. The feature is enough to destroy the security and privacy of your mails.
Another point to be noted that, Apple does not provide any APIs or frameworks for developers that would allow this kind of modification of its interface. Instead, LinkedIn is acting as a ‘man in the middle by intercepting your email to inject that HTML code.
"Normally your device connects directly to the servers of your email provider (Gmail, Yahoo, AOL, etc.), but we can configure the device to connect to the Intro proxy server instead. The Intro proxy server speaks the IMAP protocol, just like an email provider, but it doesn’t store messages itself. Instead, it forwards requests from the device to your email provider, and forwards responses from the email provider back to the device. En route, it inserts Intro information at the beginning of each message body — we call this the top bar."
LinkedIn said that, during installation, the servers temporarily cache your password in order to add a new Mail account to your device, and your password is only cached for the length of time it takes to install Intro, and never for more than two hours.

But is it secure? Amidst this criticism, Senior Software Engineer for LinkedIn Martin Kleppmann wrote a blog post explaining how the service’s security isn’t something people should be worried about.
He said, in order to use the feature user have to Install 'Inro' app manually with his wish and Usernames, passwords, OAuth tokens, and email contents are not permanently stored anywhere inside LinkedIn data centers. Instead, these are stored on your iPhone.

Even, LinkedIn also sniffs the contents of users' iOS calendars, including sensitive information such as confidential meeting notes and call-in numbers, which they then transmitted in plain text, not encrypted.

But in the future, Will they do not comply with so-called U.S Secret orders to intercept user emails for NSA intentionally under low pressure ? Obviously they are and they will !

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.