Yesterday LinkedIn released their new “Intro” service. This service claims to “do the impossible” by enabling messages received within the native iOS mail client to display basic profile information from senders with LinkedIn profiles.
On the surface this new offering is compelling to power users of LinkedIn on their iOS devices. Easy visibility into a sender’s profile, connection status and other additional information shorten the gap between receiving an email and correlating the sender with their LinkedIn profile. This sounds great, but how does it work and what security concerns arise through the use of the Intro service?
In order to work around the inability to natively extend the iOS mail client, LinkedIn designed a proxy service that acts as an intermediary between your device and your email service. The service captures and stores your username, password and connection settings so that it can act as the intermediary and communicate with an email service on your behalf. While the concept of proxying to perform meaningful action on a data stream is not a new concept. In this era of heightened risk awareness and increasingly skilled adversaries, use of “man in the middle” methods raise a number of concerns that cannot be discounted.
There are several potential consequences as an outcome of utilizing the Intro service. Foremost this model could be considered a deviation from operational security best practices by capturing, storing and utilizing login credentials on systems outside of the users or email services control. While LinkedIn claims that the credentials are only stored for a short period of time, the service retains the ability to intercept and act on email messages sent or received during the term of your use of the service. Hand off of login information to a third party has a high probability of being in violation of the majority of corporate information security policies. In addition the legal implications for attorney-client privilege violation and law enforcement warranted or warrantless access are well known.
The elephant in the room is the risk this service poses to a large number of LinkedIn users should the service be compromised. Almost a year and a half ago LinkedIn was compromised by a Russia based hacker group who captured nearly 6.5 million user account credentials. The value of compromising the Intro service could potentially be even more valuable than stealing account credentials. It’s easy to envision a skilled attacker using access to this service to gain a number of tactical advantages.
Attention should also be paid to the EU/Swiss Safe Harbor Framework provisions, along with the APEC Cross Border Privacy Rules (CBPR). While the United States has relatively laissez-faire approach to data privacy, with the except of medical and transactional data, the European Union has developed substantial rules on how individuals information can be collected, processed and utilized.
Even with the upmost assurance by LinkedIn that the service will only be used for the intended purpose and that security is a top priority, corporate desires change over time and compromises by malicious actors do happen. The most prudent course of action is to undertake a formal risk assessment before deciding if you or your organization will support or deny the use of Intro. Any time you or your organization investigate use of an external service, consider its compliance with corporate security policies, assess contractual and confidentiality provisions with clients/affiliates and exercise an appropriate level of due care.
For more information about the Intro service architecture and privacy statements, please visit;