The new LinkedIn iPhone app that embeds a link to an email sender's profile on the professional network presents a number of security risks and should not be used, experts warned.
Criticism of the app, called Intro, started soon after its release last week. The first to slam LinkedIn was security consultancy Bishop Fox, which accused the site of "hijacking email."
Over the weekend, Jordan Wright, a security engineer at CoNetrix, said he was able to spoof Intro profile information, using a technique that a criminal could easily replicate for a phishing attack.
On Monday, Neohapsis, which does penetration testing and risk assessment for mobile apps, got into the act, saying Intro users were taking on serious risks for a "marginal convenience feature at best."
"I can't think of a situation where a user would agree to a reduced level of transport security of their emails in exchange for the novelty of being able to instantly view their LinkedIn contact's details in the iPhone email client," Gene Meltser, technical director at Neohapsis Labs, said.
LinkedIn has defended Intro, saying the criticism is based on "inaccuracies and misperceptions."
Wright's spoofing experiment started with the interception of the security profile Intro inserts into iOS. He then found the username and password used to log into the LinkedIn service and grabbed the first email to look closely at what LinkedIn injects.
His investigation found that he could remove the Intro data and replace it with his own, thereby commandeering the Intro profile tab to show whatever information he wanted.
While his proof-of-concept would be benign to an email recipient, "it would be just as easy to attach a malicious payload, request sensitive information, etc.," Wright said.
Fox compared Intro to a "man-in-the-middle" attack, because all messages go through LinkedIn servers and are analyzed and scraped for data "pertaining to whatever they feel like it."
Also, by pushing a security profile to the iOS device, so LinkedIn can re-route emails, posed the risk of having the profile used to wipe a phone, install apps, delete apps and restrict functionality.
"You are effectively putting your trust in LinkedIn to manage your users' device security," Fox said.
From a privacy standpoint, sending a message through a third party could waive protections that courts apply only to messages a person tries to keep confidential, Fox said. For people who use their iOS devices for work, Intro would likely violate their companies' security policy, if it bars employees from disclosing sensitive data to a third party.
LinkedIn outlined a number of security measures it took with Intro. For example, "mail content" going through the Intro service is encrypted and deleted once the user has retrieved the mail. However, LinkedIn does store metadata, according to Fox.
LinkedIn also said the iOS device's security profile is not changed, as Fox contended. Instead, the Intro service adds an email account to communicate to its server.
"The profile also sets up a certificate to communicate with the Intro Web endpoint through a Web shortcut on the device," LinkedIn said.
Security consultancy iSEC Partners performed a line-by-line code review of Intro's credential handling and mail parsing/insertion code, LinkedIn said.
"When the LinkedIn security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible," the company said.
LinkedIn has suffered security breaches before. Last year, 6.5 million member passwords taken from a LinkedIn server were posted on a Russian hacker forum. The passwords were easily decrypted because the company had used only a rudimentary hashing algorithm that was far weaker than the industry standard.