LinkedIn’s Email Proxy Scheme Described as Man-in-the-Middle Attack

Professional networking giant LinkedIn is the subject of much criticism for its new LinkedIn Intro offering for lapses in privacy and security, and is being described as the equivalent to a Man-in-the-Middle (MitM) attack.

The feature is intended to allow iPhone users the ability to access background information on contacts by routing their emails through the proxy service, but security experts warn that the system is a threat to personal privacy and potentially a serious concern for enterprise network security.

“Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to… whatever they feel like,” said Bishop Fox.

“But that sounds like a man-in-the-middle attack! I hear you cry. Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing,” Bishop continued, pointing out that encryption would likely be broken in the process.

Others contend LinkedIn’s record on security matters is less than stellar, citing the loss of over six million users, and the mining of sensitive data from the iOS calendars of some of its members.

SOURCE: tripwire.com