14 DAY TRIAL // Ever since LinkedIn announced Intro – a new service that allows Apple Mail Inbox users to view the LinkedIn profiles of the people they’re receiving emails from – security researchers have issued several warnings about the new tool.
The most concerning thing is that all email communications have to pass through LinkedIn’s systems. Considering that the company has recently suffered a major data breach, it’s difficult to trust it with your business-related emails.
Graham Cluley was among the first to warn users about LinkedIn Intro.
“I’m not suggesting that it has created LinkedIn Intro with any malicious intentions (unless you consider them injecting an advertisement for their its brand in every email malicious), but clearly security is not part of the company’s DNA – and that troubles me,” the expert noted.
Conrad Longmore of Dynamoo’s Blog goes even further, comparing LinkedIn’s data collection processes to the NSA's.
Security researcher Jordan Wright has also analyzed LinkedIn Intro and he has even developed a proof-of-concept to show how it could be used for phishing attacks.
Seeing the large amounts of negative publicity, LinkedIn came forward to provide some facts about Intro.
“When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios,” Cory Scott, LinkedIn’s senior manager for information security, said.
Scott explains that Intro is isolated in a separate, highly secure network segment. In addition, its code has been reviewed by iSEC Partners to make sure it doesn’t have any security holes.
Besides the external audit, the internal team has also carried out penetration tests. SSL/TSL is utilized to protect information circulating between the device, Intro, and the mail system.
Furthermore, the company set up monitoring mechanisms designed to quickly detect potential attacks.