
Linkedin's Response to My "Phishing with Intro" Post - jwcrux
http://jordan-wright.github.io/blog/2013/11/01/linkedins-response-to-my-phishing-with-intro-post/
======
tptacek
Someone's obviously champing at the bit to write the comment about t-shirts
versus bug bounties. Before they write that, they should consider that a
company that doesn't already have a bounty can't simply create one on the
spot; those programs need to be reviewed by counsel.

I think it's inevitable that most tech companies are going to end up offering
formal bounty programs, but you should remember that only a select few do
today.

~~~
krallin
Even if they did, would they actually award the bounty even though the bug was
directly taken to a blog post, and not reported to them first?

I may be mistaken, but I was under the impression that there generally was a
tacit agreement that you only get the bounty if you don't go public with it
before it's fixed.

~~~
cddotdotslash
You're right - I don't think you qualify for a bounty if you write a blog post
and then the team contacts you. Usually there are strict requirements
including a responsible disclosure to the company directly.

~~~
x0x0
please don't parrot nonsense like "responsible" disclosure; it mangles
language to normalize behavior these companies want (what's the opposite of
responsible? Not letting companies sit around and procrastinate while users
are or may be being exploited is therefore irresponsible.)

I'm not necessarily saying people shouldn't disclose first, but labeling it as
responsible is grating.

~~~
pgeorgi
so it's optimistic disclosure? assume that the vendor will respond
responsibly.

~~~
eru
How about private (or partial) disclosure? As opposed to just `disclosure', or
public disclosure.

------
shaggyfrog
> "Linkedin isn’t that kind of company"

But it _is_ the kind of company that set up this massive MITM hole in the
first place, and thought it was a good idea to "offer" this "feature" to
unsuspecting targets, er, "users".

They may have fixed this "bug", but the bug that is the feature itself
remains, and it can only be fixed in one way...

~~~
TheBiv
I get the snark. But using their own words against them is very disingenuous.

Recognizing people for being good people, as the author did, should be
completely separate from a product that you believe is a bad product.

~~~
mehwoot
_using their own words against them is very disingenuous._

How is that disingenuous? Was the accusation not sincere?

~~~
TheBiv
Disingenuous meaning not truthful, which it was not.

~~~
mehwoot
That's not what the word means.

 _1\. Not straightforward or candid; insincere or calculating

2\. Pretending to be unaware or unsophisticated;

3\. Unaware or uninformed; naive._

Generally it is used to mean untruthful _on purpose, with an intent to
deceive_ , usually by acting as if you're unaware of something.

------
chimeracoder
> he made it immediately clear that he didn’t call to ask me to take down the
> post – “Linkedin isn’t that kind of company”.

I'm very glad to hear this.

Disappointed (in general) that this even needs to be noted, but glad to hear
it. Unfortunately, this is not something that can be taken for granted.

------
mfkp
Seems like they handled this very well. Maybe more security teams are being
especially cautious after the Yahoo security reporting fiasco. While I still
don't agree with the basic concept behind Intro, I think they handled this
appropriately.

------
usaphp
I would prefer an actual check or some sort of evaluation of the time he spent
on the phone/email trying to explain the fix to linked in. Sending him a bunch
of advertising materials with logos all over them is kind of disrespectful I
think.

~~~
hobs
The guy could certainly have just ignored the phone call, just because the
company contacts you does not mean you need to help them (even if they are
being nice).

While I think that a bug bounty is the RIGHT thing to do in this scenario, the
security guy likely couldn't just decide on his own to give out thousands of
dollars, so something is better than nothing, and if the expectation was
nothing, then well, sounds decent to me.

~~~
tptacek
I think that is literally true; that is, I think that a security person at a
large company would be in serious trouble if they paid someone for reporting a
security vulnerability out of their own pockets. There are legal implications
to opening up a bug bounty.

------
clienthunter
If LinkedIn sent me this box of self-aggrandising cruft I'd be geniunely
pissed at them for imposing onto me the responsibility for its disposal.

~~~
sutterbomb
It's like the Mitch Hedberg bit: "Whenever I walk, people try to hand me out
flyers. And when someone tries to hand me out a flyer, it’s kinda like they’re
saying, 'Here—you throw this away.'"

------
mintplant
Is there a reason why LinkedIn couldn't have run the IMAP proxy on the device
itself, instead of having email pass through their remote servers?

~~~
ceejayoz
Apps can't elect to be started up when the phone boots, nor can they count on
avoiding being killed if the user is running a graphically intense game or
something.

~~~
victorf
Except VoIP apps, since we want all apps with that capability to start on boot
even if we only use them once a month, and we don't want any others to start
on boot even if we use them daily. iOS regulations are so stupid.

------
jmcgough
I've never really liked Linkedin's product that much, but they addressed this
issue in a very mature way - instead of rebuking it in a press release or
arguing with him, they fixed the issue and thanked him. I'm impressed.

------
avenger123
I don't want to be cynical but when I read small token of appreciation, I
thought it would be something more than just branded stuff from the company.
You could argue that all they could send was LinkedIn marketing material but
it just rubs me the wrong way when companies put out their branded trinkets as
"gifts".

Please just give me the money. I'll decide which companies I will do free
advertising for.

~~~
wiml
Meh, that's why it's a _token_ of appreciation. If I were the guy, I'd be more
offended by money than by some marketing trinket; sending me money implies
they thought my involvement was worth that amount of money, and it's unlikely
they would send enough to correspond to a reasonable hourly rate. Sending a
trinket with no monetary value makes no such implication; it's purely a social
gesture, not an economic one.

On the other hand, if some company wants to thank me for something in the
future with something more than tradeshow swag, I would not turn down a nice
bottle of whisk[e]y, just sayin'.

~~~
avenger123
You have a point.

------
cmac2992
This is the way a business should be run. LinkedIn gets a +1 in my book

~~~
acosmism
agreed, a+

------
xacaxulu
Everyone makes mistakes. It looks like LinkedIn's team handled this in a
professional manner. I can dig it.

------
eridius
I missed the original "Phishing with Intro" post. After reading it now, and
the update, from the description it sounds like all they did was randomize the
ids to make it hard to target the LinkedIn content with CSS. But surely it's
still possible, no? The content is injected at the head of the body, so just
target it using sibling selectors. You can't override any !important style
this way (as the ID selector takes precedence), but maybe you could find a
non-!important-specified style that can still be used to affect it. Heck,
maybe just set a -webkit-transform that collapses the height to 0.

------
nicholassmith
That's a pretty awesome tshirt, least LinkedIn security did a good job with
their response and some awesome swag.

------
laureny
So they rewarded you by sending you merchandising for their company.

I was hoping that at the very least, they'd offer you a job.

~~~
jkrems
1\. Finding one security problem is not necessarily enough to qualify for a
job offer

2\. They sent him a trophy. It wasn't just any ball pen with the company logo
but a nice, topical t-shirt

As someone else pointed out - he disclosed the vulnerability publicly before
informing LinkedIn. Most companies wouldn't have given him anything.

------
vladtaltos
They should have paid the guy - not send cheap trinkets. And also no chump
change as well. He went out of his way to even help them roll-out the hot fix.

Don't be a 'cheap kind of company' linkedin. Pay up.

------
saravanaj
Bollocks.

