LinkedIn just debuted a new email plug-in, Intro, for your iDevice. It’s a neat idea that lets you see the LinkedIn profile of people who email you, so you know exactly who you’re talking to. The problem is that the entire app is literally built on a method of hacking your email used by everybody from script kiddies to the NSA.
Here’s how it works: Instead of your email going directly to you, your email is first sent to LinkedIn’s servers. LinkedIn scans your email, adds the relevant LinkedIn information and sends it on its way… which is a classic hacker technique called a “man-in-the-middle” attack. Just to add to the fun, it means LinkedIn has to decrypt, read, and then reencrypt your email… which is kind of a problem since LinkedIn stinks at online security. Oh, and they’re also storing your email “metadata”, a term that’s surprisingly vague considering what the plug-in does.
Can it get worse? Absolutely, according to the New York Times:
Bishop Fox, the security consulting firm, called the app “a dream for attackers” and enumerated specific concerns. Among them: By giving LinkedIn access to their e-mails, users may be waiving their rights to attorney-client privilege. The consultancy also warned users that by opting into Intro, they may be “in gross violation” of their employer’s security policies.
Bishop Fox also notes that since LinkedIn adds data to your email, changes your phone’s security profile, and that LinkedIn doesn’t get into any details about how it secures this stuff. In other words, it essentially makes your phone less secure to save you from having to surf over to LinkedIn and find out who the hell this guy emailing you even is, if you even care enough to do that.
It’s honestly not a bad idea and it can even be useful, but it seems like the security problems with the app are just a little too high to make it worth it right now. One assumes LinkedIn will completely retool it and fix the security issues, but for now, it’s probably best to stay away.
(Image elements courtesy of Shutterstock)