LinkedIn, like any other social media platform is a mine of information for internet users, due this reason the number of attacks against it are soaring. The principal social media are integrating their offer with new services extended also to mobile platforms. LinkedIn for example has launched a new app for for iOS devices called Intro ‘LinkedIn Intro‘ that allow to Apple’users to display a picture of the sender, and other useful profile info from LinkedIn, when they receive an email.
How does it work?
Simple, to use the service, a LinkedIn user must route all of their emails (e.g. Hotmail, Gmail, Yahoo, etc.) through LinkedIn’s ‘Intro’ servers, which will inject necessary code to display info related to the profiles in his emails.
The following image shows the way LinkedIn Intro propose the information.
The downside it that LinkedIn have to access the content of user’s emails to implement this feature and also can manage the user’s passwords for his email accounts on other providers, the consequences for privacy and security are clear.
Considering that Apple doesn’t provide any development tool (e.g. APIs) to implement the feature it is conceivable that LinkedIn operated as ‘man in the middle’ to intercept the email to inject that HTML code.
“Normally your device connects directly to the servers of your email provider (Gmail, Yahoo, AOL, etc.), but we can configure the device to connect to the Intro proxy server instead. The Intro proxy server speaks the IMAP protocol, just like an email provider, but it doesn’t store messages itself. Instead, it forwards requests from the device to your email provider, and forwards responses from the email provider back to the device. En route, it inserts Intro information at the beginning of each message body — we call this the top bar.“
“We understand that operating an email proxy server carries great responsibility. We respect the fact that your email may contain very personal or sensitive information, and we will do everything we can to make sure that it is safe. Our principles and key security measures are detailed in our pledge of privacy.”