
LinkedIn ‘Intro’duces Insecurity - shenoybr
http://www.bishopfox.com/blog/2013/10/linkedin-intro/
======
buro9
One of the other subtle things they do with metadata is their fascination with
IP addresses.

Intro will enable LinkedIn to have the IP address of all of your staff using
it, and thus (from corp Wifi, home locations of staff, popular places your
staff go) they will know which IP addresses relate to your staff members (or
you individually if you are the only person on a given IP).

This means that even without logging onto LinkedIn, if you view a page on
their site they can then create that "so and so viewed your profile", which is
what they're selling to other users as the upgrade package to LinkedIn.

Worse than that, as a company you can pay to have LinkedIn data available when
you process your log files, and from that you know which companies viewed your
site. And that isn't based on vague ideas of which IPs belong to a company
according to public registrar info, this is quality data as the people who
visited from an IP told LinkedIn who they were.

Think of that when you're doing competitor analysis, or involved in any legal
case and researching the web site of the other party.

And VPNs won't help you here, as you'd still be strongly identified on your
device and leaking your IP address all the time.

There are so many reasons why this LinkedIn feature needs to die a very
visible and public death, and very few about why it should survive. It's a
neat hack for sure, but then so were most pop-up and pop-under adverts and the
neatness of overcoming the "impossible" is no reason this should survive.

~~~
300bps
_Worse than that, as a company you can pay to have LinkedIn data available
when you process your log files, and from that you know which companies viewed
your site._

To give a real world example of how true this is, I have a friend that owns a
service company. He subscribes to Visistat for which he embeds a small snippet
of Javascript into every page in his site. He uses a product of theirs called
LeadCaster which then identifies the company name and often the contact name
of people that visit the site. How does it do this? Look at Visitstat's
Learning Center for an explanation:

 _NOTE: Contact information is supplied by the contact databases of Data.com
(formerly Jigsaw), NetProspex and LinkedIn. Not all information will be
available for every company and listing, however, your reports will show all
the data we are able to access for you._

So for a real world example that he told me about a few hours ago, a lady was
on his website. She left without doing anything more than viewing a few pages.
Through Visistat, he was able to get her company name and contact information
from LinkedIn. He looked up the phone number for her company and called her.
He then said, "I understand you're interest in ..." She replied, "How did you
know I am interested in ...?"

This is spooky as shit and almost made me delete my LinkedIn profile today.

~~~
pjmlp
Someone told me over the weekend that some companies use your cookies to track
down prices and adjust their prices based on your surfing behavior.

These friends of mine discovered it while browsing an airline website, each
with his own laptop, only to discover different prices being offered. Which
they found very strange, given they were seated next to each other.

After cleaning the browser history and visiting the same web site with
anonymous mode on, both got the same prices being offered.

~~~
x0054
I heard that Airlines do not like you shopping around for prices from someone
who did this research. They log you when you first come on their site. If you
come back 2-3 days later, they will jack up the price, presumably to scare you
into buying tickets.

~~~
pjmlp
Yes, I heard the same story from these friends as they were telling me this.

One of them works for a travel agency.

~~~
vickm
What's the best work-around to avoid this price jack?

~~~
kbenson
clearing cookies, or just using incognito mode in whichever browser you are
using usually does it. They've been doing this for at least a decade now,
IIRC.

~~~
mathattack
I'm surprised it's legal. Didn't Amazon have to backtrack on something like
this?

~~~
vklj
They did backtrack, but because of PR reasons, not legal ones. Unless there
are antitrust issues, it's perfectly legal to offer different prices to
different customers.

------
sneak
Giving away email credentials to a third party service, regardless of reason,
should be both covered in your internal training materials, as well as be
maintained as a firing offense.

This is really just a case of well-branded spearphishing. You should already
be protecting against that.

~~~
dragonwriter
> This is really just a case of well-branded spearphishing.

Spearphishing is distinguished from phishing more generally by having very
narrow, specific target selection.

If we are going to look for a analogies to techniques of catching fish, this
is more weir phishing than spearphishing.

------
martinbc
Seems like Linkedin have posted an update on
[http://engineering.linkedin.com/mobile/linkedin-intro-
doing-...](http://engineering.linkedin.com/mobile/linkedin-intro-doing-
impossible-ios):

Update, 10/24/13

We wanted to provide additional information about how LinkedIn Intro works, so
that we can address some of the questions that have been raised. There are
some points that we want to reinforce in order to make sure members understand
how this product works:

\- You have to opt-in and install Intro before you see LinkedIn profiles in
any email. \- Usernames, passwords, OAuth tokens, and email contents are not
permanently stored anywhere inside LinkedIn data centers. Instead, these are
stored on your iPhone. \- Once you install Intro, a new Mail account is
created on your iPhone. Only the email in this new Intro Mail account goes via
LinkedIn; other Mail accounts are not affected in any way. \- All
communication from the Mail app to the LinkedIn Intro servers is fully
encrypted. Likewise, all communication from the LinkedIn Intro servers to your
email provider (e.g. Gmail or Yahoo! Mail) is fully encrypted. \- Your emails
are only accessed when the Mail app is retrieving emails from your email
provider. LinkedIn servers automatically look up the "From" email address, so
that Intro can then be inserted into the email.

------
jmadsen
Are Linkedin still working out of Mom's garage? Do they not have a single
person on staff capable of looking at the current environment regarding
internet privacy and say, "Uh, guys...maybe put this one on ice for a year..?"

~~~
lambda
Remember, LinkedIn has grown so much in part because so many people are
willing to _hand over their email passwords_ so LinkedIn can take a look at
their contacts.

LinkedIn knows exactly how many people will hand over full control of their
email if it means that they have a better chance of finding a better job.

~~~
jmadsen
Think I have to agree with you on that. Despite all the umbrage from HN, etc
crowd, they prolly know it isn't really hurting them & the financial rewards
are great.

Just doesn't seem like the greatest marketing strategy at the moment :-)

------
ctide
What's the difference between this and using an app such as Mailbox?

~~~
uptown
Asked the same question, but nobody answered.
[https://news.ycombinator.com/item?id=6601179](https://news.ycombinator.com/item?id=6601179)

~~~
ctide
I mean, Mailbox literally does the same thing (editing your messages on their
backend -- [http://www.mailboxapp.com/blog/?p=1#javascript-now-
filtered-...](http://www.mailboxapp.com/blog/?p=1#javascript-now-filtered-
from-mailbox-messages)) and no one cares. LinkedIn does it and the Internet
goes shit crazy.

~~~
mey
I have never heard of Mailbox before, but I have heard of LinkedIn.

~~~
ZaAaV
Mailbox is part of Dropbox

~~~
tannerc
Worth noting is that they originally were not.
[http://techcrunch.com/2013/03/15/mailbox-cost-dropbox-
around...](http://techcrunch.com/2013/03/15/mailbox-cost-dropbox-
around-100-million/)

------
etchalon
This is ridiculous. LinkedIn is offering a feature, optionally, to users who
chose to install it. They have been upfront about how it works. If you don't
like how it works, don't use it. Problem solved, myopic holier-than-thou rant
avoided.

~~~
hdevalence
Do you honestly believe that most users who will install this will fully
understand the ramifications of that choice? if yes, why do you think that, in
spite of all the evidence that most users are clueless about security? If no,
then in what sense are they really giving consent, if that consent is not
informed?

~~~
miguelrochefort
Maybe we should also ban junk food. I mean, I'm sure many people don't "fully
understand the ramifications of that choice".

~~~
Anderkent
Are you really saying people don't understand junk food is unhealthy to the
same degree they don't understand IT?

~~~
miguelrochefort
The idea is to be consistent, not please the majority.

I can't say if people's understanding of how junk food is bad for them is
greater than their understanding of internet security, but I wouldn't say that
they're fundamentally different things.

My point is that "what people understand" is not universal, and is highly
subjective. We can't assume that everybody understand why alcohol, smoking,
junk food, lack of physical activity, medecine, etc. are potentially "bad" for
them. Yet, we don't ban most of these things "in case some people don't
understand"?

We teach people about health and nutrition, why shouldn't we do the same about
IT (I mean, it's such a huge part of our lives now that we can't ignore it)?

Too many people jump on the "prohibition" train, when it's rarely the best
solution. Rather than limit what companies can do (it's rarely objectively
bad, they're offering users a feature in exchange for a subjective downside. I
would focus on teaching people, not limit what can be done.

But maybe that's just me.

------
dclowd9901
> 1\. Attorney-client privilege.

Really? I guess you better have your own SMTP server set up then, or hope your
email provider is willing to go to bat for your rights...

> 8\. If I were the NSA…

Yeah, it sounds like they definitely have needed it so far...

5 other of the things are basically the same point, remade in 5 different
ways. This is a really weak list. There are certainly concerns, but most of
these problems are symptomatic of our email system as it is. And have we all
forgotten how crazy everyone went when we found out google was going to start
advertising in Gmail?

~~~
andrewfong
Incidentally, many lawyers and law firms run their own mail servers for
precisely this reason.

~~~
tedunangst
I think there's more to it than that. They want audit trails and backups, they
don't want you reading email from unapproved devices, etc.

~~~
andrewfong
Yes, but it's a part. When I was a law student, confidentiality was named as
the main reason why we weren't allowed to use Gmail for legal clinic work. If
you just want audit trails and backups, there are other ways of accomplishing
that don't involve outright banning use of a third party mail service.

~~~
DannyBee
"why we weren't allowed to use Gmail for legal clinic work."

Since that time (I assume this was a while ago, i can't imagine it was recent
since most of these schools now use hosted email providers), almost every
single state has issued opinions stating that storing email with a cloud
provider does not break privilege.

AFAIK nobody has cared much since New York's ethics opinion in 2008.

~~~
andrewfong
Nope, this was still the rule for Berkeley as of 2012. Since then though,
they've been replacing Berkeley's prior system with a Google apps. I'm not
sure if that changed anything.

I should also note that there have been a couple of cases since 2008 where
courts ruled that use of an employer's e-mail system broke privilege with
respect to that employer. See, e.g., Holmes v. Petrovich, 191 Cal. App. 4th
1047 (Jan. 2011). It might be a stretch, but I could see someone trying to
argue that Gmail use voided A/C privilege with respect to a lawsuit against
Google.

~~~
DannyBee
There are also a lot of court cases the other way, and those cases were more
about employment agreements, handbooks, and TOU, than they were about by
general privilege breaking by using a cloud email provider.

------
csmatt
LinkedIn just seems overwhelmingly sleezy to me. How do they keep getting away
with this stuff?

~~~
tedunangst
People tell LinkedIn "Please, please, pretty please build something that lets
me view LinkedIn contact info while reading email on my phone." LinkedIn
builds it.

~~~
SideburnsOfDoom
> People tell LinkedIn "Please, please, pretty please build something that
> lets me view LinkedIn contact info while reading email on my phone."

Did they? Did they _really_?

~~~
tedunangst
No. LinkedIn spent considerable effort building something that nobody wants
and nobody will opt into.

~~~
nilved
I think you're joking, but we both know this isn't the first time they've done
that.

------
kevinpet
I wonder if they called it "intro" to make it impossible to google for so that
no one can ever figure out what they're agreeing to when they install it.

What does the sig it appends look like? I will have to make sure to never send
email to anyone who has the tell-tale "I opt into spyware" flag.

------
webhat
Nicely stated, what I didn't see mentioned was the iframe it introduces into
the mail. It can use this iframe to collect all kinds of additional data about
you.

In the first instance I thought this was an app that was running in the
background on your phone, I would have called that _doing the impossible_.
This is just a MITM, and not a very good one at that.

------
natekh
I'm not saying 1 bad turn deserves another, but this is no worse than what any
company operating at scale does when they serve https through a gateway
service (Scrubbers, CDN, whatever).

------
lispm
To celebrate this, I removed LinkedIn apps from my devices.

~~~
miguelrochefort
Do you expect some kind of reward? Sheep of the year maybe?

~~~
astrange
There's no need to be mean to people doing something you agree with.

~~~
miguelrochefort
Whether I agree or not is not the point. It was a "me too" comment, and I made
sure to point it out.

Could I have done a better job at it? Probably.

------
siculars
This idea is such a disaster I don't even know how it was allowed to see the
light of day. The sad fact is that there are untold numbers of people who will
install this monstrosity.

Serious questions though, if you are an IT shop - how do you defend against
this trojan horse app?

~~~
jzwinck
Maybe you can scan email coming into your corporate accounts, looking for
LinkedIn SMTP servers in the headers? It may then be straightforward to find
out (after the fact) if your users are using this service.

Aside: as Raymond Chen often asks, "What if two companies did this?" Can you
layer this service with a hypothetical similar one from Facebook? If not, it
seems like a huge first-mover advantage.

~~~
siculars
Right, first mover. I'm afraid LinkedIn has selfishly crossed a line that we
will all suffer for. Other companies will no doubt try to do similarly idiotic
things in the name of "convenience", "features", etc.

------
mcenedella
Related:
[https://news.ycombinator.com/item?id=6430893](https://news.ycombinator.com/item?id=6430893)

"LinkedIn Founder says 'all of these privacy concerns tend to be old people
issues.'"

The bit about privacy starts at the 13 minute mark.

------
llamataboot
I desperately want to delete LinkedIn, but I am also looking for my first
developer jobs in the tech field. In my former field, no one would ever ask
for your LI profile. You send a resume, link to a resume, whatever. In the
tech field, every single company I've interviewed with so far has looked at my
linkedin profile before our interview and specifically requested it. Until the
field changes, or I have a stronger status as a developer, I feel I have to be
there or get overlooked for someone who is there.

~~~
anaphor
Simply tell them you don't use it because of ethical reasons, and explain why
if asked. If you would like a replacement then check out
[http://careers.stackoverflow.com/](http://careers.stackoverflow.com/)
(requires a certain amount of SO rep or an invite, which I would be willing to
give but I see no way of doing that with you).

------
iamleppert
In other news, e-mail is an insecure protocol and most people transmit in the
clear and don't have their own e-mail infrastructure anyway.

It's interesting this "blog post" came from a professional security company
who makes it money from scaring individuals and companies about security
threats.

Is it just me, or is this firm even worse than LinkedIn?

------
shenoybr
I wonder how this affect BYOD to work. Corporations would be furious to have
their email content scanned by linkedin.

------
ig1
Well lets take these one-by-one:

\-------------

1\. Attorney-client privilege.

I'm guessing most law firms use third party email servers, anti-virus, anti-
spam and archive/audit systems which this would also apply to. It would also
apply if you're using Raportive, Xobni or the like (or integrated time-
tracking, billing, crm, etc.).

\-------------

2\. By default, LinkedIn changes the content of your emails.

Irrelevant. Unless you read your emails in plain text every modern email
client changes how email is displayed.

\-------------

3\. Intro breaks secure email.

Yes. Except iOS mail doesn't support crypto signatures anyway.

\-------------

4\. LinkedIn got owned.

Yes. LinkedIn adds an extra point of vulnerability.

\-------------

5\. LinkedIn is storing your email communications.

Well metatdata but yes.

\-------------

7\. It’s probably a gross violation of your company’s security policy.

Yes. As is using Linkedin itself. Or Dropbox. Or Github. Or Evernote. Or
Chrome. Or any enterprise software that uses the bottom up approach.

\-------------

8\. If I were the NSA…

The NSA has access to your emails if they want them anyway. Email isn't a
secure protocol against a well funded adversary.

\-------------

9\. It’s not what they say, but what they don’t say

This looks like a semantic dispute, but it doesn't look any more vague than
say Google's privacy policy. Companies in certain circumstances are legally
required to provide access to information.

\-------------

10\. Too many secrets

These all seem to be questions that can either be answered by testing or ones
that LinkedIn would probably be happy to disclose, but unlikely to be major
issues to mainstream users.

\-------------

So fundamentally it comes down to two points, granting Linkedin access to your
email creates a new point of attack and Linkedin themselves might use your
email in ways you find undesirable.

So it's essentially a trade-off for the benefits you get from the app versus
those risks. For a personal account which you use for private emails, personal
banking, etc. the evaluation is obviously going to be very much different from
say a salesperson's work account which they use for managing communication
with leads.

In the later case they may already be trusting LinkedIn with similar
confidential information and already use multiple services (analytics, crm,
etc.) that hook into their email so the additional relative risk might be
smaller.

As people with technical expertise we shouldn't use scare-mongering to push
our personal viewpoints upon those with less expertise, but rather help people
understand the security/benefit trade-offs that they're making so they can
decide for themselves whether to take those risks.

It's important to treat the wider non-technical community with respect and as
adults capable of making their own judgements and not as kids who need to be
scared into safety.

~~~
kevinpet
> 7\. It’s probably a gross violation of your company’s security policy. >
> Yes. As is using Linkedin itself. Or Dropbox. Or Github. Or Evernote. Or
> Chrome. Or any enterprise software that uses the bottom up approach.

I doubt I could even find a company that prohibited accessing LinkedIn from a
work computer anymore. Many don't disallow installing software either.

If you truly believe what you wrote, you almost certainly believe accessing
work email from a personal device is prohibited at typical companies. Maybe
this is true at large companies, but not anywhere I've worked.

Your argument has no validity. You claim that it's absurd for IT to
differentiate between "sending your email to your phone" and "sending your
email through a third party with no connection to email deliverability and no
business relationship"

~~~
ig1
Apple prohibits developers from listing details of what they're working on on
their linkedin profile for trade secret reasons.

Countless companies prohibit salespeople from connecting to potential leads on
linkedin to prevent it leaking to competitors.

I'm guessing you've not worked in enterprise because it's pretty normal to
have a company policy on "bring-your-own-device" (typically companies will
only allow access from devices that meet security requirements on password,
anti-virus, etc. often they'll also require the ability to remotely wipe your
device)

~~~
pimentel
Every (serious) company prohibits it's employees from disclosing secret
information, be it Linkedin or by phone, and even verbally with your friends.
That doesn't mean it's forbidden to use Linkedin, make phone calls, or talk to
people.

------
cognivore
The thing that I find interesting is if LinkedIn goes ahead and does this, how
many other companies will want to join the bandwagon and then we'll end up
with our email being bounced around through a slew of different proxies so
everyone can add their spam and ads to it.

~~~
anaphor
And with each one trying to remove the content produced by the others in some
"clever" way.

------
orenmazor
seriously? this is what Intro is? how is it not a bigger deal?people get upset
over the littlest Facebook changes, but something this big barely shows up?

~~~
viraptor
Probably because you have to explicitly enable this. With Facebook changes you
don't get the choice.

------
sytelus
I'm still not able to believe if I read that right. Does LinkedIn _really_ re-
routes your emails to their servers in their entirety? I looked at their
announcement and video at [http://blog.linkedin.com/2013/10/23/announcing-
linkedin-intr...](http://blog.linkedin.com/2013/10/23/announcing-linkedin-
intro/). There is NOT even a hint of disclosure that they are doing this. I
can imagine 10 ways to achieve the similar user experience without re-routing
entire emails. So if this is true, LinkedIn really really fundamentally
screwed up with customer trust.

------
ninjazee124
I just can't fathom how something so ridiculous could pass so many engineers
at LinkedIn, without raising flags on how bad this is. The moment I saw the
word "proxy" I cringed!

------
tzury
I wonder how's Rapportive doing this days. That is, whether this plug-in seats
in people's GMail app and sends out data to LinkedIn or not.

After all, we are talking about the same team more or less, and surely the
same company who owns Rapportive today.

If my concerns are real. One might find this is ironic that Rapportive was
backed by YC and Paul Buchheit, the creator of Gmail, and now this very
company violating GMail users' privacy.

~~~
JeremyBanks
Yikes. I've still been using Rapportive, but learning that it's being adapted
into this monstrosity has instantly dissolved any trust I had for the product.
Removing it now.

------
edwintorok
Related:
[https://news.ycombinator.com/item?id=6600597](https://news.ycombinator.com/item?id=6600597)

------
foxylad
> Intro breaks secure mail.

If it's modifying the message, it likely breaks DKIM too. meaning your
messages will be more likely to be flagged as spam.

More generally, this is the catalyst for me leaving LinkedIn. They've never
generated any new business (not even a single lead), and if I'm honest the
only reason I use it is more about my ego than anything useful.

------
hajderr
The idea itself is not that compelling that I would install it even if it
fulfilled all the criteria of security.

------
pavel_lishin
Good thing I use gmail.

~~~
drp4929
Good for you. Google Tells Court You Cannot Expect Privacy When Sending
Messages to Gmail [http://www.consumerwatchdog.org/newsrelease/google-tells-
cou...](http://www.consumerwatchdog.org/newsrelease/google-tells-court-you-
cannot-expect-privacy-when-sending-messages-gmail-people-who-care)

~~~
dudus
This is incorrect. Completely out of context and actually quite the opposite
to what happened.

[http://www.techdirt.com/articles/20130814/14262524177/](http://www.techdirt.com/articles/20130814/14262524177/)

------
scotty79
That shows that no engineer has any say in what linkedin does. I can't imagine
any tech security aware individual would take such responsibility upon
himself.

How did the C-people even found out such thing is possible? Some intern who
just found out how mail works probably was flapping his jaw too much.

------
gohrt
Is this claim true? I thought the Feds were claiming that using _any_ hosted
email (Gmail, Hotmail, etc), is considered a 3rd party subject to subpoena.

> These communications are generally legally privileged and can’t be used as
> evidence in court – but only if you keep the messages confidential.

------
foxylad
Opportunity time... are there any more scrupulous alternatives to LinkedIn?

------
tonylemesmer
So make a plugin for your email client which raises a little Intro flag when
you receive an email from an Intro user.

------
coldcode
Hmm if enough people complain Apple might close this feature. At least it's
opt-in. As for me, I would say no.

------
codecrusade
Shocking how something like this came out of Linkedin and Apple has not booted
them from the App store yet?

