LinkedIn’s iOS App Transmits Personal Data In Plain Text, Leaks Passwords

LinkedIn’s iOS App Transmits Personal Data In Plain Text, Leaks Passwords

The Next Web is reporting that LinkedIn’s iOS app collects personal data from its calendar — without explicit consent — and sends it back to the company’s servers in plain text.

Users must opt in to a feature that allows them to view calendar information from within the LinedIn app, but once that choice is made, users are not notified that their personal data — including a meeting’s title, organiser, attendees, meeting times and notes — are being transmitted across the internet as plain text. Fortunately, that means that if you haven’t chosen to use the feature, your data is completely secure.

The issue was identified by Skycure Security researchers Yair Amit and Adi Sharabani, who will be presenting the discovery at the Yuval Ne’eman workshop in Tel Aviv later today. It raises some questions about whether LinkedIn’s app abides by Apple’s privacy guidelines.

According to LinkedIn spokeswoman Julie Inouye speaking to the New York Times, the data is used to coordinate information across multiple users:

“We use information from the meeting data to match LinkedIn profile information about who you’re meeting with so you have more information about that person.”

However, it remains unclear why LinkedIn needs so much data. To accomplish the outcome that Inouye describes, the company should only need a user’s unique identifier to feed each attendee the correct information. It currently remains uncertain what LinkedIn or Apple intend to do about the problem.

Update: The Next Web is now reporting that it’s just not LinkedIn’s day; apparently a large number of its user accounts have now been compromised, with 6.5 million hashed and encrypted passwords reportedly leaked. You should change your password.

[The Next Web, New York Times]

Image: nan palmero/Flickr