ID: IRCNE2013101999
Date: 2013-10-29
According to "computerworld", earlier this week, the company released LinkedIn Intro, a plug-in for the iPhone's native email app that attaches people's LinkedIn profile information to their emails.
By transmitting sent and received emails through LinkedIn's servers, which then scrape and analyze them for data, the service essentially amounts to a "man-in-the-middle attack," security consulting firm Bishop Fox wrote in a staff blog post.
"The introduction of new data sources into a medium rife with security issues such as email is a dream for attackers," Bishop Fox wrote.
For online attackers, Intro makes LinkedIn a juicy target, he said.
LinkedIn maintains a privacy policy for the service, which states that each piece of data is encrypted with a key that is unique to the user and his device. "The servers themselves are secured and monitored 24/7 to prevent any unauthorized access," it says.
Though LinkedIn doesn't say that it decrypts emails while they're on the servers in order to make modifications and attach people's profile information, that's what's happening, Livitt said.
But some other observers don't think Intro raises any new security issues. "It's the same situation as every other cloud service provider," including Google, Yahoo, AOL and many others, said security expert and author Bruce Schneier. "You have to trust them."
The company suffered a major breach of its password database last year, which saw millions of hashed passwords appear in an online forum in Russia.
If the security risks are real, is the service that Intro provides worth it? That comes down to being a personal choice, Bishop Fox's Livitt said, but for him the answer is "no."
"I would not recommend Intro to any of my clients," he said.
- 2