LinkedIn Intro Attacked Over iOS Security Concerns, Company Responds


LinkedIn Intro For iOS

On Wednesday LinkedIn rolled out the LinkedIn Intro platform for iOS devices. Almost immediately after the service was launched security concerns began to surface on the web.

By Saturday morning LinkedIn had released a blog post titled, “The Facts about LinkedIn Intro.” In that post the company writes:

“Many things have been said about the product implementation that are not correct or are purely speculative, so this post is intended to clear up these inaccuracies and misperceptions.”

The post claims that the LinkedIn Security team closely examined the core design of Intro to ensure that the best possible implementation of security standards was followed.

Here are some of the actions the LinkedIn Intro team took to secure the platform for its iOS launch:

  • We isolated Intro in a separate network segment and implemented a tight security perimeter across trust boundaries.
  • We performed hardening of the externally and internally-facing services and reduced exposure to third-party monitoring services and tracking.
  • We also had iSEC Partners, a well-respected security consultancy, perform a line-by-line code review of the credential handling and mail parsing/insertion code.
  • Our internal team of experienced testers also penetration-tested the final implementation, and we worked closely with the Intro team to make sure identified vulnerabilities were addressed.
  • We made sure we have the right monitoring in place to detect any potential attacks, react quickly, and immediately minimize exposure.
  • All communications use SSL/TLS at each point of the email flow between the device, LinkedIn Intro, and the third-party mail system. When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is deleted from our systems.
  • We worked to help ensure that the impact of the iOS profile is not obtrusive to the member. It’s important to note that we simply add an email account that communicates with Intro. The profile also sets up a certificate to communicate with the Intro web endpoint through a web shortcut on the device. We do not change the device’s security profile in the manner described in a blog post that was authored by security firm Bishop Fox on Thursday.

For more information about email and document handling LinkedIn directs its users to check out its Pledge of Privacy or the LinkedIn Privacy Policy.

Most software platforms released onto the open market these days have security concerns, LinkedIn Intro is no different than those programs. Here is a video regarding security expert concerns for the new platform:


James Kosur

James Kosur has worked in the new media space for the last 10 years, helping many publications build their audiences to millions of monthly readers. He currently serves as the Director of Business Development at Business2Community.com and the CEO of Aven Enterprises LLC.

0 Comments

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.