LinkedIn’s iPhone ‘Intro’ tool goes outro
LinkedIn launched Intro in October 2013.
Within one day, the email plug-in for Apple iOS, designed to suction LinkedIn profile information and insert it into emails received on phones, was dubbed a “dream for attackers”.
Its lifespan was destined to be brief.
On Friday, LinkedIn announced that the guillotine drops on Intro’s security-oblivious little head on 7 March 2014.
The way Intro worked was to show email recipients LinkedIn information from senders who are also LinkedIn users.
LinkedIn wanted us to believe that this would help us to differentiate between spam and email from real people, particularly given that we could see a message sender’s LinkedIn photo, company and title.
Then, if you tapped on the bar, you’d get a list of mugshots showing the people through whom senders and recipients are connected. Scrolling down, you could then see the sender’s past and current occupations and where they went to school.
It was, of course, a play for mobile action, but it was also likened to a man-in-the-middle hacking attack.
Namely, Intro served as a way to intercept email traffic to and from users’ iPhones and iPads, from Gmail or Yahoo or whatever other email service provider it would have gone through otherwise and onto LinkedIn’s servers.
There, LinkedIn proxy servers would analyse the email, scrape relevant data, and paste in its own details.
Intro was an opt-in service, but only for the recipients. Email senders, regardless of whether they’d opted in, would also be subjected to the LinkedIn servers’ scrub-a-dub.
As it is, LinkedIn is already facing a class action lawsuit, filed by four users in September after the service allegedly siphoned off the email addresses for everybody the users had ever emailed and then repeatedly spammed those contacts.
If Intro didn’t give rise to another class action suit, it was in the same ballpark. The epithets that security people threw at Intro were nothing if not masterpieces of contempt.
A favorite from Slashdot poster fuzzyfuzzyfungus:
This is a slick, weaponized, weasel-worded-for-wide-deployment dangerous toy we are talking about here.
Some said Intro was basically a ticking phishing-attack time bomb.
In the midst of the security concerns it raised, it’s hardly surprising (but still gratifying) that Intro would soon go belly-up.
Yet it’s all positive as far as LinkedIn is concerned: the service is merely “doing fewer things better,” as the company put it in the headline for its death-to-Intro announcement.
For those who want LinkedIn to “do fewer things better” well before the official 7 March outro of Intro, LinkedIn has provided uninstall instructions.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yIbHXCo8sMo/