It took me a moment to understand what you're saying, which (correct me if I'm wrong) is that they could just forward the credentials along to the imap server they're proxying for, and not store those credentials themselves.
However, in 2013 it should be clear that it is no way whatsoever safe to just assume that information flowing through a third party's server will not be stored.
Anyone can send email as anyone else anyway. That lack of security is inherent in the way email currently works. Not sure I see how giving IMAP access makes things worse since IMAP doesn't have a mechanism for sending messages.
I would also hope they're not storing passwords in plaintext. Obviously they need access to the plaintext password to auth with your mail server, but I would hope this is still stored encrypted.
Which is why the key should be physically given to the system when it is started and then only stored in memory. The key file should not be available on any network-attached machine. Of course there's still potential for exploits in this scenario, but it does help minimize the attack surface.
Technologically this is straightforward: it uses a proxy server that sits in between you and your actual mailserver.
I think the privacy concerns of having your mail (potentially) available over yet another server in exchange for modest convenience makes it unlikely that I would use this, but I'm sure many will find the trade-off acceptable and desirable.
Yes, I would never want them (or virtually any third party) to have the ability to access my inbox, much less stand in between my mail provider and myself.
Before every email as yourself "if this email went public, would anyone care?" If I ever answer "yes", I don't send it. I either call or meet in person assuming we're not too remote.
You're doubling your surface for anything unethical, too. It not just the NSA, so it really makes no sense to take additional risk in this regards. You are adding an [or] operator, one that can lead to a complete failure mode. This is the opposite of risk diversification. Unless I'm missing something.
Yes, Google has your email, but not your credentials. A breach of your email exposes all the email you have now. Bad, yes. A breach of your credentials exposes all the email you get until you change them, and if you don't know to change them...
Proxy to return a header in your email. CSS to render the content upon click. IFrame to update content so it doesn't get cached.
Cute web hacks. I don't understand the problem with simply using their mobile app if you were really looking for work.
It sounds like an unnecessary feature for people who are looking and an annoyance to people who are not. That seems to be the problem of Linked In. They harass those who are working with vague and misplaced job requests in an attempt to expand their reach.
I don't think it is designed for people "looking for work". It seems to be built for business development. For example, an email like: "Hey, we met at a conference last month, just wanted to follow up..." - now you can see who they are, where they work, a profile picture to jog your memory and quickly connect - all from your email client. Very similar to what Rapportive did for Gmail.
Here's the thing though, whenever I send an email like that to someone I always include my LinkedIn profile for them to check out, which would redirect to the app on their phone. Personally, it does seem a bit unnecessary to include this feature.
That's actually a good point. I never would think to use Linked in as a business card. I usually would just write, "Hey it's me from that place we met."
it will probably "work" as they are abusing the network (it will probably screw up VPN configs) to hijack all imap calls. unless the gmail app uses regular http endpoints... which it probably does.
I'd be very surprised, because you can't configure the app to use a particular IMAP server. You just give it your username and password and it does the rest.
A private self-hosted version of this wouldn't be that bad. Imagine that you write the same proxy, and it injects data grabbed from the various API's its hooked up to.
This. The tech described is pretty neat... Give you my email creds? Hell no. But _I_ could do all that myself. I think that would be one way that linkedin could save this - release an easy to set up open source version, say one click to a heroku instance or something. Then one could add all sorts of smart stuff into their own emails.
Agreed. Imagine if you could have other providers snap into this? It's a shame that they're hacking their way around Apple's walled garden, but a self hosted proxy server is a nifty way to add functionality to email.
Why would the service close? It's supported by LinkedIn and AFAIK they're not in the habit of shutting things down. This almost feels like a no-brainer for them, especially given the move to mobile devices and locked-down apps.
Edit: Have I missed the point? I'm sure LinkedIn is a little more cautious about such changes than your average newly-founded startup. This product gives them access to people emails which they can probably glean a lot of info from. They already try to get access into email accounts (username + password) via the LinkedIn webapp so in a way this is just extending that to mobile. The only reason I can imagine them shutting it down is if no-one uses it (in which case, no one will complain).
Fair enough but as I tried (and obviously failed) to caveat, these are not shutdowns I really knew about. I clearly wasn't a user of those products so I didn't feel any pain when they went away.
Perhaps my claim is weak and my knowledge limited but I find it more ridiculous to claim the inevitability of a closure before a product is even being used.
NB I feel I should add that I'm not going to be a user of this product as I won't hand over email access. However, I can imagine many people who don't think the same finding it very useful.
Think of it like a value proposition. Is the (dubious IMO) convenience of having Linkedin profiles in your email worth the cost of Linkedin having the content of your email? Even if they pinky-swear to never read it, don't forget that this proxy email server would be, overnight, one of the most valuable corporate espionage targets in the world.
(If yes, you should probably ditch reading email and do something more productive with your time, like picking up cans.)
That is an interesting note, but if the business is using Gmail (http://www.google.com/enterprise/apps/business/products.html) maybe that's because they trust Google's services. Trusting one third party doesn't imply that you trust all third parties.
If you think about the reach Linked in has, combine that with each contact the linked in user has and you have a very fast database of emails that can be misused.
Isn't that the whole point of Rapportive? They're the only company I can think of that has successfully solved the "social profile matching" problem that I can think of off the top of my head.
If you look at one of LinkedIn's alternate applications, LinkedIn Contacts, http://contacts.linkedin.com/ it actually is a light-weight CRM application. The CRM meaning, it automatically connects to your email and calendar to your LinkedIn account to know when and how you are interfacing with people. I get a daily email with the meetings that I had the day before about who I met, as well as information on their LI profile about the last email conversation I had with them. This is super nice if you meet a bunch of people and need a way to take notes on who they are and what they are doing, independent of their business card.
The contacts application also sends things like reminders for your contacts work anniversaries or when they change positions (something that you can't access in the LI API).
I sometimes think that I shouldn't be giving LI all of this information, but this is a typical case where the benefit received is greater than my privacy concerns.
Couldn't agree more, not just because of the possible security implications, but also because it can seriously back-fire against you, in terms of potentially damaging your reputation.
A closely related example would be of a web app I stumbled upon recently via an unexpected email I received in my LinkedIn inbox about a new educational platform that supposedly one of my contacts was recommending me to try. Curious and suspicious, I opened the link and clicked on 'connect with LinkedIn'. In small script, the app was requiring me to authorize it to send emails on my behalf, which is exactly the case of the original unsolicited message I had received: another unsuspecting user just glossed over the terms and connected their LinkedIn account to this app....resulting in all of their contacts being spammed with the message. The 'victim' was displeased to say the least when I warned them what their account was doing without their knowledge.
Had I not been careful about that and proceeded to authorize the app, I would've most likely been booted off at least a few people's contact lists for spamming them with such stuff irrelevant to their interests.
No, they don't, and you keep posting that they do despite being proven wrong several times in the past. They lost hashed passwords which are not user credentials.
> No, they don't, and you keep posting that they do despite being proven wrong several times in the past.
You must have me confused with someone else.
> They lost hashed passwords which are not user credentials.
While you may be technically correct about credentials vs. hashed passwords, that distinction isn't relevant here. Losing hashed but unsalted passwords is still just as harmful.
> They lost hashed passwords which are not user credentials.
These passwords were unsalted sha1, that's about as good as rot13. Linkedin has clearly proved completely unable to do things correctly, if that applies to passwords it applies to everything else.
You do realize that cracking unsalted SHA1 passwords isn't that hard, right? Perhaps you should educate yourself on the wonderful world of GPU password cracking and the enormous speeds a handful of consumer-grade video cards working in concert can utterly smash through a database like this.
edit: Here's a blog post about being able to brute force 33.1 billion MD5 hashes a second using GPU's: http://blog.zorinaq.com/?e=43
This seems very very very brittle.
Some over compensating product asshat managed to convince their code monkeys into building something that will probably break easily not to mention security concerns with giving them your mailbox access.
I think it's a fairly well implemented hack.
One question: does the iPhone mail client load the contents of iframes by default? Don't these clients typically not load remote content like images?
Despite the privacy concern everyone is warring about, it is a beautiful integration. Technology is supposed to make life easier, not harder. Since Apple didn't open the door, someone else will ended up doing it. I am sure an open source solution with own proxy + LinkedIn api will work as well. That should take away the privacy concern.
Even if we disregard the privacy concerns and trust the third party with our inbox, I can't help imagining the consequences of a quiet compromise of their proxy service.
There is definitely not much value here for risk involved (handing out your credentials to a 3rd party). Although interesting, the hack seems pretty straight forward. I wonder if they had to do something more complex for 2-face authentication enabled accounts (gmail) or that is not supported?
According to "Pledge of Privacy"[1], no. It seems they will also modify your outgoing mail to remove the profile info.
So in addition to reading your incoming mail they can also modify your outgoing mail as well.
Suppose that user B gets mail from A, then forwards it to C. I'd see why this could be valuable info. for a company like this (and also has a high potential for abuse).
Wow, it even says right there that if you forward or reply via a different account, the full content remains in the message (of course!). I'd imagine the same thing would happen if you moved the message from a folder in one imap account to a folder in another imap account. Nice.
My initial reaction to this blog post was basically revulsion on a gut level, but the more I think about it, the more my revulsion becomes justified on a rational level.
So there's a nontrivial chance that if I'm connected to someone in LinkedIn whose profile is "private", then if I forward a message from him (containing this LinkedIn flair) to some third party (who is not connected to him), then I could expose his profile details to the third party? That's a privacy lawsuit just waiting to happen.
Every time I get an email from LinkedIn with updates on private profiles of people I am connected to I could forward that email to anyone, is that a privacy lawsuit waiting to happen too?
So you give up your email credentials to LinkedIn and in exchange you get a little widget that tells you the name of the person who is emailing you, the company they work for, their position in the company, and some contact information? Isn't that's what the signature line is for? Seriously, don't people already setup their signature line to include all that information.
This is essentially a mitm attack. I am amazed that a company the size of LinkedIn would think that this is in any way appropriate. These are the tricks of spammers and cyber criminals. This is what LinkedIn has become.
Will customers be explicitly told that all of their emails will be going through and stored on LinkedIn servers? I doubt it. I do envision a dialog box along the lines of "Click Here to make your experience better". Sadly people will click without realizing the implications.
But you do have to take into account the context of what they are doing. Yes on a technical scale it is similar to a mitm attack, and yes in theory they do have access to your email content, but I don't think that by using an interesting trick to add a useful feature should put them in the same category as sleazy hackers secretly trying to steal your credit cards and such.
Does it matter? They are purposefully inserting themselves into a stream of information which they largely have no business being a party to.
If (when?) this proxy service is compromised are they willing to be accountable for any information which leaks? I can't imagine wanting to even take on this risk (maybe I'm too conservative).
Edit: I just want to add - yes, it's interesting. Yes, it's sleazy.
There is a saying you may have heard before, "the road to Hell is paved with good intentions." Intent doesn't matter at all, because someone will inevitably figure out a) how, and b) why to take advantage of it for nefarious purposes.
The "attack" part of "man in the middle attack" refers to the fact that it is done secretly and generally with ill intentions. LinkedIn is not being secretive (and we can speculate about their intentions). If everything that's in the middle of something is a man in the middle attack, then that would include your home router.
I do think LinkedIn has ill intentions. In my opinion, their intentions are to collect, analyze, and ultimately profit from their user's email data. All under the guise of offering some marginal benefit.
I work in enterprise information security, and my team agreed upon hearing this news that if this was used on our email system, we would consider it a MITM attack. Whether or not the end user opted in, the corporation did not.
So, in the context of use in environments where your email address is not fully owned by you, attack would be a valid word. Otherwise, I agree that it's a MITM but not an attack.
Given that a lot of users are technically unaware of what they are doing, it would be akin to firing someone for falling for one of those pop ups that offers to do a free virus scan. If you are a pharmaceutical sales rep and you read that LI blog post, you probably think it is perfectly safe...
I would think the responsibility falls back onto IT to educate users - and to block connections from LI to the mail server.
No, in the same way we don't fire people for getting viruses on their computer. Without a reason to believe the action was intentionally designed to cause harm to the business, like cstrat said, education is the best way to handle it. It would be hard to prove malicious intent in a case like this. LinkedIn would be attacking us, the user would just be an attack vector. It's akin to getting phished.
I agree, and I think the major email providers should block it. Maybe Google can just cut off their API access and stop using LinkedIn for recruiting. That ought to get their attention.
I appreciate the data point, but I must admit that sounds very unreasonable, unless you're considering the employer as the attacker. Would the same apply if an employee were using a VPN at work?
We do block VPN on our corporate network, yes. A VPN is a tunnel that hides user activity from our monitoring and DLP tools and use of VPN from our network to the outside is against policy. Likewise, sharing your credentials with a third party is against policy.
The attacker is LinkedIn. The employee is the attack vector. LinkedIn is engaging in a phishing attack.
You didn't explicitly answer whether you consider VPN usage to be a man in the middle attack. I understand banning it (as well as this LinkedIn feature) on a corporate network, but not considering either a man in the middle attack.
VPN is a tunnel, not a MITM. It's used to bypass our monitoring and filtering. You're tunneling out of our network into someone else's, which may have more favorable rules.
This is a MITM, because LinkedIn is intercepting and modifying the traffic between the email server and the client machine, traffic which is supposed to only be read by the recipient. A VPN isn't intercepting traffic, it's used to tunnel traffic. LinkedIn is positioning themselves directly between the traffic source and the destination to read and modify the transmission.
Misleading title. Nobody did the impossible on iOS, just did clever things within the available frameworks. Well done author, it works. But did you ask yourself "should I really do this?"
What I hope is going to prove truly impossible is doing anything like this without requiring the user to explicitly accept the configuration profile. Even so I expect they will trick many into allowing "enhancement" of their email.
LinkedIn has a history of abusing email. From the early days* where they would email all of the contacts on your machine if you didn't read carefully enough to today where you can click unsubscribe many, many times and still get "important updates". It's a wretched hive of scum and recruiters, and they will never get between me and my email.
Now you have 220,000,000 LinkedIn users all running their email traffic through LinkedIn's proxy. I'm sure they have the bandwidth and CPU to handle that.
We're talking about mail. There's an equal distribution of users across many IMAP servers, most run by companies like Google and Microsoft that can handle the flow. Now we're redirecting all inbound mail traffic through exactly one host.
Apart from actually giving them the power to slip-stream their content into your messages, how is this different (access-wise) to what people have granted to the email-management app Mailbox? Seems like in both cases, you're handing control of your inbox content over to an additional 3rd party unnecessarily.
308 comments
[ 3.6 ms ] story [ 105 ms ] threadWell done!
However, in 2013 it should be clear that it is no way whatsoever safe to just assume that information flowing through a third party's server will not be stored.
I would also hope they're not storing passwords in plaintext. Obviously they need access to the plaintext password to auth with your mail server, but I would hope this is still stored encrypted.
Many emails are signed with DKIM now, which does help with verifiability.
> but I would hope this is still stored encrypted
Encryption is pointless when the keys for decryption are on the same server. Given their hack in 2012, I doubt there's any protection at all.
• passwords are stored for a minute, maybe up to two hours
• emails are stored for a few minutes, maybe a few hours
Most clients will poll for emails every few minutes, which means that the storage of the passwords is for all intents; permanent.
I think the privacy concerns of having your mail (potentially) available over yet another server in exchange for modest convenience makes it unlikely that I would use this, but I'm sure many will find the trade-off acceptable and desirable.
* your local mail client might get different E-mail content every time mail is downloaded, which is not the intent of IMAP,
* LinkedIn (hence, the NSA) gets full access to your E-mail,
* once people get hooked it's easy to transition to inserting ads, or "more helpful LinkedIn content",
I find all this rather disturbing and would never use this service.
What if I believe that Google (hence the NSA) already has access to my Gmail? What's the cost to my privacy if it's already lost?
My major concern is that if I provide Linkedin my credentials, I now have doubled my attack surface for intrusion by non-governmental actors.
Can I have your gmail and password? If not, why not?
You don't have a choice. If the person on the other end is using this service then your emails to them are hoovered.
This is making a big assumption that they understand the implications. Or that LinkedIn explains them at all.
Cute web hacks. I don't understand the problem with simply using their mobile app if you were really looking for work.
It sounds like an unnecessary feature for people who are looking and an annoyance to people who are not. That seems to be the problem of Linked In. They harass those who are working with vague and misplaced job requests in an attempt to expand their reach.
I also hate iFrames. Cool trick though.
Edit: Have I missed the point? I'm sure LinkedIn is a little more cautious about such changes than your average newly-founded startup. This product gives them access to people emails which they can probably glean a lot of info from. They already try to get access into email accounts (username + password) via the LinkedIn webapp so in a way this is just extending that to mobile. The only reason I can imagine them shutting it down is if no-one uses it (in which case, no one will complain).
You mean besides job agents, Answers, Events, ...
Perhaps my claim is weak and my knowledge limited but I find it more ridiculous to claim the inevitability of a closure before a product is even being used.
NB I feel I should add that I'm not going to be a user of this product as I won't hand over email access. However, I can imagine many people who don't think the same finding it very useful.
(If yes, you should probably ditch reading email and do something more productive with your time, like picking up cans.)
The contacts application also sends things like reminders for your contacts work anniversaries or when they change positions (something that you can't access in the LI API).
I sometimes think that I shouldn't be giving LI all of this information, but this is a typical case where the benefit received is greater than my privacy concerns.
Not to say that this isn't a bad idea though. It would have been an easier sell if you could do the IMAP proxying on the local device somehow.
This should be easy to run an background proxy under Android. Not sure if this is possible under iOS7 though.
http://cm.bell-labs.com/who/ken/trust.html
A closely related example would be of a web app I stumbled upon recently via an unexpected email I received in my LinkedIn inbox about a new educational platform that supposedly one of my contacts was recommending me to try. Curious and suspicious, I opened the link and clicked on 'connect with LinkedIn'. In small script, the app was requiring me to authorize it to send emails on my behalf, which is exactly the case of the original unsolicited message I had received: another unsuspecting user just glossed over the terms and connected their LinkedIn account to this app....resulting in all of their contacts being spammed with the message. The 'victim' was displeased to say the least when I warned them what their account was doing without their knowledge.
Had I not been careful about that and proceeded to authorize the app, I would've most likely been booted off at least a few people's contact lists for spamming them with such stuff irrelevant to their interests.
You must have me confused with someone else.
> They lost hashed passwords which are not user credentials.
While you may be technically correct about credentials vs. hashed passwords, that distinction isn't relevant here. Losing hashed but unsalted passwords is still just as harmful.
Otherwise, articles like this one would not exist: http://mashable.com/2012/06/08/linkedin-stolen-passwords-lis...
Take a wild guess at what they are storing this time around.
These passwords were unsalted sha1, that's about as good as rot13. Linkedin has clearly proved completely unable to do things correctly, if that applies to passwords it applies to everything else.
edit: Here's a blog post about being able to brute force 33.1 billion MD5 hashes a second using GPU's: http://blog.zorinaq.com/?e=43
[1]: http://blogs.msdn.com/b/oldnewthing/archive/2005/06/07/42629...
So in addition to reading your incoming mail they can also modify your outgoing mail as well.
Suppose that user B gets mail from A, then forwards it to C. I'd see why this could be valuable info. for a company like this (and also has a high potential for abuse).
[1. https://intro.linkedin.com/micro/privacy ]
So there's a nontrivial chance that if I'm connected to someone in LinkedIn whose profile is "private", then if I forward a message from him (containing this LinkedIn flair) to some third party (who is not connected to him), then I could expose his profile details to the third party? That's a privacy lawsuit just waiting to happen.
It's a cool hack, however.
Will customers be explicitly told that all of their emails will be going through and stored on LinkedIn servers? I doubt it. I do envision a dialog box along the lines of "Click Here to make your experience better". Sadly people will click without realizing the implications.
If (when?) this proxy service is compromised are they willing to be accountable for any information which leaks? I can't imagine wanting to even take on this risk (maybe I'm too conservative).
Edit: I just want to add - yes, it's interesting. Yes, it's sleazy.
to implement a feature that's impossible to do any other way. They have a justification for doing this.
So, in the context of use in environments where your email address is not fully owned by you, attack would be a valid word. Otherwise, I agree that it's a MITM but not an attack.
I would think the responsibility falls back onto IT to educate users - and to block connections from LI to the mail server.
The attacker is LinkedIn. The employee is the attack vector. LinkedIn is engaging in a phishing attack.
This is a MITM, because LinkedIn is intercepting and modifying the traffic between the email server and the client machine, traffic which is supposed to only be read by the recipient. A VPN isn't intercepting traffic, it's used to tunnel traffic. LinkedIn is positioning themselves directly between the traffic source and the destination to read and modify the transmission.
What I hope is going to prove truly impossible is doing anything like this without requiring the user to explicitly accept the configuration profile. Even so I expect they will trick many into allowing "enhancement" of their email.
LinkedIn has a history of abusing email. From the early days* where they would email all of the contacts on your machine if you didn't read carefully enough to today where you can click unsubscribe many, many times and still get "important updates". It's a wretched hive of scum and recruiters, and they will never get between me and my email.
*spoke too soon! looks like they still do it: http://community.linkedin.com/questions/10106/i-want-linkedi...
• LinkedIn: The Creepiest Social Network (May 9; 326 points) https://news.ycombinator.com/item?id=5680680
• Why I Just Closed My LinkedIn Account (Jun 18; 137 points) https://news.ycombinator.com/item?id=5900120
• LinkedIn sued by users who say it hacked their e-mail accounts (Sep 22; 204 points) https://news.ycombinator.com/item?id=6425444
• Today I Deleted My LinkedIn Account; You Probably Should Too (Sep 24; 143 points) https://news.ycombinator.com/item?id=6433828
Now you have 220,000,000 LinkedIn users all running their email traffic through LinkedIn's proxy. I'm sure they have the bandwidth and CPU to handle that.