LinkedIn Intro service is intentionally created to deliver a friendlier mobile business networking service. However, security researchers warned that it also opens gateway for hackers.
Intro is tied into Apple’s pre-installed e-mail application, which is intended to reconfigure a user e-mail to proxy via LinkedIn servers. To all intents and purposes, mails sent through the user’s e-mail, will pass through LinkedIn.
James Lyne, Global Head of Security Research for anti-malware company Sophos, said in a blog post that LinkedIn has put up a big sign inviting cyber criminals, nation states and others with a message “hack here, we've got loads of juicy data.”
Carl Livitt, Senior Security Researcher at security consultancy Bishop Fox agreed with the Lyne and told USA Today that from a privacy and security stance, LinkedIn’s new Intro opens fresh opportunities for bad guys.
In defense, LinkedIn’s corporate communications director Julie Inouye told CyberTruth, "We take the privacy and security of our members' data very seriously and have taken a thoughtful approach to ensure we've put the right security precautions in place for the LinkedIn Intro product.
In an interview with CyberTruth, Livitt answered the core security issues introduced by Intro, he said that since Intro supports some of the biggest names in email like Yahoo, hackers can “simply 'pass through' your real credentials to your real email provider.”
He added, “They would gain access to the usernames and passwords of at least every Yahoo! and AOL user; Gmail users would not be affected in the same way because of OAuth. There is also a rather pervasive concern that LinkedIn has a poor security track record and there is corresponding concern about the design, implementation, and due diligence that has gone into creating the Intro service.”
However, LinkedIn is not the first to do this. According to Livitt, “Some of the big MDM (mobile device management) providers employ techniques similar to what Intro is doing, but they have mature solutions. “
Livitt speculates that LinkedIn resorted to trying this to gain information about users so that they can carry out effective advertisement, which he doubts effective because nobody would actually exchange their confidential info just to have LinkedIn embedded on their e-mail.