The new LinkedIn iPhone app that embeds a link to an email sender’s profile on the professional network presents a number of security risks and should not be used, experts warned.
Criticism of the app, called Intro, started soon after its release last week. The first to slam LinkedIn was security consultancy Bishop Fox, which accused the site of “hijacking email.”
Over the weekend, Jordan Wright, a security engineer at CoNetrix, said he was able to spoof Intro profile information, using a technique that a criminal could easily replicate for a phishing attack.
On Monday, Neohapsis, which does penetration testing and risk assessment for mobile apps, got into the act, saying Intro users were taking on serious risks for a “marginal convenience feature at best.”
“I can’t think of a situation where a user would agree to a reduced level of transport security of their emails in exchange for the novelty of being able to instantly view their LinkedIn contact’s details in the iPhone email client,” Gene Meltser, technical director at Neohapsis Labs, said.
LinkedIn has defended Intro, saying the criticism is based on “inaccuracies and misperceptions“.
Wright’s spoofing experiment started with the interception of the security profile Intro inserts into iOS. He then found the username and password used to log into the LinkedIn service and grabbed the first email to look closely at what LinkedIn injects.
His investigation found that he could remove the Intro data and replace it with his own, thereby commandeering the Intro profile tab to show whatever information he wanted.
While his proof-of-concept would be benign to an email recipient, “it would be just as easy to attach a malicious payload, request sensitive information, etc.,” Wright said.
Fox compared Intro to a “man-in-the-middle” attack, because all messages go through LinkedIn servers and are analyzed and scraped for data “pertaining to whatever they feel like it.”
Also, by pushing a security profile to the iOS device, so LinkedIn can re-route emails, posed the risk of having the profile used to wipe a phone, install apps, delete apps and restrict functionality.
“You are effectively putting your trust in LinkedIn to manage your users’ device security,” Fox said.
Continue reading by clicking the source link below.