A new LinkedIn feature designed to familiarize users with their email partners could bring in security woes, researchers said.
The new feature, LinkedIn Intro, enables iPhone users to route their email through LinkedIn so they can get background on an email sender or receiver before they write. The feature helps the user become more familiar with their email partners, LinkedIn said.
Researchers said, however, the feature is potentially dangerous to the user’s personal privacy and to any enterprise that allows employees to use LinkedIn via the corporate network. This is another example of how users should be wary of using social media for corporate endeavors.
“Intro reconfigures your iOS device (e.g. iPhone, iPad) so all of your emails go through LinkedIn’s servers. You read that right,” said the security consulting firm Bishop Fox in a blog. “Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data.
The blog continues: “‘But that sounds like a man-in-the-middle attack!’ I hear you cry. Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing.”
In fact, Intro could create problems for encrypted email, the Bishop Fox blog said. “Cryptographic signatures will break because LinkedIn is rewriting your outgoing emails by appending a signature on the end,” Bishop Fox said. “This means email signatures can no longer be verified. Encrypted emails are likely to break because of the same reason – extra data being appended to your messages.”