
Phishing with Linkedin's Intro - jwcrux
http://jordan-wright.github.io/blog/2013/10/26/phishing-with-linkedins-intro/
======
wellboy
Well done Jordan, this is a good example of how insincere company culture,
which endorses email spam and dark design patterns, WILL backfire.

In a company with great culture, this kind of project would have been caught
by the various stakeholders of this project and it would not have been
released.

However, at Linkedin, the engineers and product managers having learned over
the years that these kind of things are "fine" and can be looked over as long
as the feature brings more engagement, more traffic --> more money, made this
dodgy product slip through the cracks of Linkedin.

I don't know how many times Linkedin has been on hackernews for email spam,
when will they finally get it?

I talked to the main growth hacker of Linkedin a while ago who does all the
email marketing and asked him if it's not a bit dodgy what they are doing. He
smirked and told me how much these strategies boost engagement at Linkedin and
how much money they make.

This is not something to be proud of, it's like being proud of having stolen
10 kids a lollipop today. Everybody can steal lollipops, build a drug cartel
or big company with dodgy maneuvers, because then it is not about how gifted
they were, it's how deceitful.

That is just not impressive. However, it's insanely impressive to build a
company without being dodgy, but just by making a great product that your
users love.

It's one of the most basic rules of growing a company that pursuing short-term
gains (1-2 years) with dodgy maneuvers, directly translate into long-terms
losses in the 10-fold numbers of the short term gains.

This is not too hard to understand, is the executive team of Linkedin not
intelligent enough to get that?

~~~
cmccabe
For some reason, a few people at HN seem to have a hard-on for criticizing
LinkedIn. I never hear the same criticism of Facebook or Twitter here, even
though their privacy policies are just as bad, or worse in many cases, and
they also send bulk email.

I get spammed by all the social networks I've joined, and even by a few that I
didn't join. I get mail from every newspaper or magazine I've ever subscribed
to, and many that I never have. Condemning one business for doing this while
praising another is just hypocrisy.

~~~
DanBC
> I never hear the same criticism of Facebook [...] here

Facebook is regularly criticised, often fiercely, for their invasive privacy
policies.

~~~
austinz
As are Google and Apple (albeit not always for privacy). I think the only oft-
mentioned companies I've seen that consistently get better-than-neutral
sentiment are Tesla and SpaceX, although there are probably others I'm
forgetting.

~~~
girvo
And that's because Musk is the closest we can get to a tech "rock-star"
(ignoring the Blizzard guys who are actual rock-stars and play in a sweet
metal band).

------
colinsidoti
I'm going to venture against the grain here: this is a really cool hack by
LinkedIn. The OP's phishing attacks are equally cool - basically just HTML
injection that leverages a vulnerability in LinkedIn's message rewriter.
LinkedIn should be able to patch it relatively easily, just as they would on
their website.

~~~
jyap
Let me ask. Is it also a "cool hack" when hotels inject ads into free WiFi?

... Because it is basically the same concept but worse because you just gave
up the privacy of your inbox to be data mined and sold. All for some minor
conveniences masquerading as a "cool hack".

I don't think that's cool at all.

~~~
jmduke
_... Because it is basically the same concept but worse because you just gave
up the privacy of your inbox to be data mined and sold. All for some minor
conveniences masquerading as a "cool hack"._

My father's a B2B salesman who spends a lot of time using LinkedIn for lead
acquisition. He's thrilled for this thing because he spends "way too much time
fiddling with the iPhone browser to try and get this info."

I'm not saying the underlying security issues aren't valid, but to say it's a
"minor convenience" is a failure of perspective.

------
pilif
One of the things that really scares me about this is the configuration
profile thing. Yes. These profiles might contain just an email account. But
the UI you get when the profile also contains, say, a new root certificate is
the exact same UI.

As a user there's no way to see whether the profile you just accepted is just
adding an email configuration or whether it's setting a global proxy server
that even does SSL interception because the profile also contained that
proxies root certificate.

Worse, by accepting one of these, you could also (again, same UI) accept
whoever sent you the profile to use MDN functionality on your device, allowing
to track the devices location (GPS accuracy) and to remotely wipe it.

For these reasons, I would never, ever, ever accept a configuration profile
and I would recommend you don't accept one either.

This isn't just for linkedin either - a grocery store chain here allows for
easy camera based self-scanning. The only thing you have to do is to accept
their configuration profile so the phone can join a special in-store WiFi and
I suspect other companies do the same crap.

Accepting one of these is as close to installing malware as you can get.

------
_anshulk
I am not a linkedin employee but I wonder what an employee should do or in
this case have done when business was insisting on developing such a feature?

~~~
wellboy
Stir the debate, escalate it to management, make your co-workers aware of the
wrongdoing. If it's shoved under the carpet, leave, maybe write a blog post.

However, most people care more about their job than their values and for that
reason, remain quiet. As long as the paycheck's comin' in, u kno.

You've probably heard of a story like this before recently, just on a bigger
scale.

~~~
colinbartlett
I'd argue that software engineers are some of the most resistant people in the
workforce to these kinds of moral high-wire acts. That's simply because they
have way more job security than others. They can pick and choose companies
with which they are in moral agreement and jump ship when something they
disagree with is forced upon them.

~~~
wellboy
You'd think so, but it took a decade until Snowden was the first one of these
10,000 engineers to speak up.

~~~
jonny_eh
That's because it's super easy to rationalize things like this. From the
outside, hearing about Intro for the first time, our initial reaction may be
"WTF?". But from inside the company it was a slow boil. You know that you mean
no harm, and the people you work with are good people, and they mean no harm
either. And hey, you're taking all these precautions like using separate
servers, and getting security audit checks. And hey, isn't this a clever way
to add a cool feature?

Before you know it, it's too late to say "no". Something that may have started
as a good idea has transformed into a monster. Human cognitive biases will
then kick into action and save you from admitting to yourself that you're part
of the problem.

~~~
wellboy
That's an excellent description, gradual escalation.

For that reason, there need to be very strong company values.

Further, every engineer needs to be very reflective and have very strong
values themselves, because most companies don't have these strong values.

This should be started to be taught at universities now, so that young
engineers have some guidance to start out with. Engineer Ethics Lecture 1.

------
amolsarva
Perhaps a bit naive of me, but can't ANY email sender just include html/css of
this type in their spam or regular mail to me?

Can't any email sender spoof the sender identity in various ways, e.g., from
name, signature, and sure this picture badge thing?

~~~
deno
With SPF and DKIM you cannot spoof the envelope address and the “From:” header
email address. If SPF would actually be required instead of optional (or even
ignored), we could be free of 99% of SPAM and phising emails maybe as soon as
2009!

Anyway the point of the post is that if you just add the badge thing you will
end up with two different badges, which the user would obviously find
suspicious. Instead, the way LinkedIn rewrites messages is exploited to get
only a single badge but manipulate its content (and/or the message content).
Since the message looks authentic (it’s been filtered by LinkedIn) it gives
the user a false sense of security, which makes a naïve phising attempt into a
very effective one. After all the point of the message rewriting was to give
the impression that LinkedIn Intro is an extension to the actual email client.

------
staringispolite
Thanks for the article. It seems unlikely that you could scale the first step:
harvesting the iPhone profiles in the first place. I was under the impression
this is a one-time download. Is there any realistic way to get a significant
number of these?

------
joeblau
Does this look like a man in the middle attack to anyone else?

~~~
galonk
I wouldn't say "looks like".

------
bcx
It seems that this same exploit would work for anyone using apple mail. Isn't
Linkedin-Intro is just exploiting the fact that Apple Mail renders HTML.

~~~
forsaken
It's the expectation of the user that this is hacking. Inserting the HTML into
a non-Intro user's email wouldn't make sense. But sense the user is expecting
that data, and for it to be validated, spoofing it becomes much more valuable.

------
general_failure
I cannot believe they bought this tech for 15m.

Think about it : 15m.

I have said this many times before but I really need to get off my ass and
just do something. Looks like anything sells these days. Especially a
spectacle. Just do something that attracts attention. Sell it. Retire. This is
not about tech.

/grumpy me

~~~
driverdan
You don't seem to understand Rapportive. This is a new thing they built as
members of LI, not the product they bought. Rapportive is a great tool that's
extremely useful. If anything $15m was low.

------
unlogic
This reminds me of Caller ID spoofing. It was nicely described in Kevin
Mitnick's book "The Art of Deception".

------
cmccabe
Based on everything I've read, LinkedIn didn't develop this technology. They
bought it when they acquired Rapportive (which, by the way, was a Y Combinator
startup).

Can someone explain the technical details here a little more? I feel like a
few steps are missing in the explanation. Why does Rapportive/Intro need a
separate IMAP account attached to the device? How could LinkedIn ever think
email could be secure? Email is a plain-text protocol based on trust. Can't
people just spoof source addresses and inject whatever they want into the next
email server in the chain?

~~~
jwcrux
Sorry - I tried to keep the post to a reasonable length. I'll be following up
with a more detailed post later. :)

The separate IMAP account is likely so that they wouldn't ever touch the
user's Gmail credentials. This way, they do everything via the OAuth token
they retrieve. Also, I'm not sure if they can know for sure that the user has
synced their Gmail account to their iPhone or not.

I don't know how Linkedin thought this was a good idea. This is clearly one of
those cases where the functionality benefits are greatly outweighed by the
security risks. This shouldn't have been made.

Thanks for reading!

~~~
colinsidoti
I don't know the details of IMAP well enough, but isn't the proxy what allows
them to inject HTML into the email that iPhone's Mail app sees, but not any
other client?

~~~
jwcrux
Yes - they need to perform what's called a Man in the Middle Attack (MiTM) to
inject HTML into your email.

Normally, your iPhone (and other clients) retrieve email from Gmail's servers
using the IMAP protocol. To inject content, Linkedin setup a security profile
which placed themselves in the middle so you connect via IMAP to their
servers, they fetch the content using IMAP from Google, inject their content,
and feed it back to you.

This is why the email is not permanently changed. Only changed en route to
your iPhone.

