Man-in-the-Middle Attack through social networks

This morning I started to read the classical security sources again and found this article: LinkedIn ‘Intro’duces Insecurity. I started to read without too much interest until I reached this point:

Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers. You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like.

“But that sounds like a man-in-the-middle attack!” I hear you cry. Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing.

They do what? They reconfigure my phone to send my mail through their servers? I could nto believe it. So, I started to look at the LinkedIn pages. On their Intro privacy page, they state:

How does LinkedIn Intro work?

We’ve worked very hard to ensure that LinkedIn Intro works with Apple’s Mail app. When you install LinkedIn Intro, we help you add a new Mail account to your iPhone. This new Mail account will show you exactly the same messages as your old Mail account, but it will also include LinkedIn Intro.

Once you’ve installed LinkedIn Intro, we recommend that you turn off your old Mail account. If you don’t, you may see emails twice: once in each account. Turning off your old Mail account does not delete anything, and you can undo it at any time.

What’s happening under the hood: without Intro, your Mail app connects directly to the servers of your email provider (e.g. Gmail or Yahoo!) to download messages. With Intro, your Mail app connects instead to the Intro servers, which fetch messages from your email provider and then pass them back to your Mail app. As the messages pass through the Intro servers, we add the social context that helps you be brilliant with people.

Do you read my email?    

After you install Intro, your emails are passed through LinkedIn’s servers, which are secured and monitored 24/7 to prevent any unauthorized access.

In order to provide the Intro service, the servers use software to extract information from each message: for example, the sender’s email address is extracted, so that the servers can search for their LinkedIn profile to include in the message.

Do you store my email or my password?

LinkedIn servers will temporarily cache information in order to provide you with the fastest service possible. Here are the full details:

During installation, the servers temporarily cache your password in order to add a new Mail account to your device. Your password is only cached for the length of time it takes to install Intro, and never for more than 2 hours. Typically, your password is cached for no more than 1 minute.

During usage, the servers may temporarily cache your emails in order to make emails download faster. When your device starts to download a mail folder, such as your inbox, the servers will pre-emptively download and cache recent messages in that folder. A few seconds later, when your device downloads the individual messages, the servers will provide the cached messages. Your messages are only cached until your device downloads them, and never for more than 1 hour. Typically, your messages are cached for no more than a few minutes.

All cached information is held securely to industry standards. Each piece of data is encrypted with a key that is unique to you and your device, and the servers themselves are secured and monitored 24/7 to prevent any unauthorized access.

I guess it is not April 1^st, isn’t it. This is absolutely unbelievable to me – and even more so in today’s world. How long will it take until providers stop doing so absolutely stupid stuff and until the users start to complain? I guess there will be plenty of people installing this app…..

I am just waiting until NSA is setting a social network up together with their “friends” – rerouting our mails through their servers as well would make their live so much easier.

Roger

Roger Halbheer

Roger Halbheer is an Executive Security Advisor at Microsoft in EMEA acting as a trusted advisor to CxO. Before that he was a Managing Director at Accenture's Financial Services. Before joining Accenture, he was the Chief Security Officer of Swisscom (Switzerland's largest telecom provider) and the global Chief Security Advisor for Microsoft.

Zero Trust in the IoT/OT Space
May 11, 2020

Redefining your SOC – Azure Sentinel
March 2, 2019

Confidential Computing – A Silver Bullet for the Cloud?
June 26, 2018

New Design, Challenges?
October 10, 2015

Microsoft drops Advanced Notification Service
January 12, 2015

Microsoft drops Advanced Notification Service
January 12, 2015