Intro, LinkedIn’s new mobile app, is great for networking, but as it turns out, it’s even better for hacking. According to security experts, the app is incredibly insecure.
The app works by redirecting email traffic from your iPhone or iPad to LinkedIn’s servers, where those messages are analysed for people’s professional details. LinkedIn then adds its own info and places it prominently in emails. That’s great in theory, and it gets people to use LinkedIn more often than every few months when they have 62 connection requests to address, but the tactics LinkedIn uses to get the data are faulty. Says the New York Times:
Researchers liken that redirection to a so-called man-in-the-middle attack in which hackers, or more recently, intelligence agencies, intercept Internet traffic en route to its destination and do what they will with it. Iranian hackers used that tactic to intercept dissidents’ Gmail accounts in 2011, by hacking into DigiNotar, a Dutch certificate authority. The National Security Agency is accused of using man-in-the-middle attack tactics to snoop on Google traffic, according to recent revelations by Edward Snowden.
In order for LinkedIn to add details to an email, that email has to be decrypted and then re-encrypted before it gets to the recipient. And that makes it a prime target for hackers. Another problem is that people trust LinkedIn, and this app — although LinkedIn has claimed in a blog post that Intro it is secure — gives LinkedIn, or someone else with less noble network-y intentions, full access to your email account and all the info within. [New York Times]