LinkedIn defends security of Intro service

Summary:As security experts liken LinkedIn's Intro feature to a man-in-the-middle attack, the company has hit back with claims saying it considered all the security implications before rolling it out.

LinkedIn has responded to criticism over its new Intro product, stating that many things that have been said are "not correct or purely speculative".

Last week, the company launched the service, which acts as a proxy service between a user and an email provider, intercepting emails in order to inject LinkedIn information for them.

The company's senior manager for information security Cory Scott wrote on the company's blog that the security team had challenged the idea internally in order to make sure it was implemented in a sound fashion.

This included bringing in an outside security firm, iSEC Partners, to audit every line of code written, ensuring that email does not persist on its servers, placing the proxy server in a separate network segment, and performing its own internal penetration tests.

Scott took particular issue with claims made by IT security firm Bishop Fox. After Intro was announced, Bishop Fox claimed that the installation of Intro changes users' security profiles on their devices, and that such profiles could be used to "wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things".

Scott denied these claims, saying that its profile only adds an email account that communicates with its proxy server.

The post continued to fall back on its Pledge of Privacy (written specifically for Intro), and its existing privacy policy when tackling the issue of how data will be handled. The pledge in particular serves to allay user concerns over privacy, and describes why or how they should be able to trust the company .

Bishop Fox has made the recommendation not to introduce Intro into the work environment, and has banned it from its own devices. The company also believes that installing the feature would likely be a violation of any company policy that has a requirement for users not to share sensitive data with third parties.

LinkedIn is currently defending itself against a class-action lawsuit alleging that it breaks into the email accounts of members that upload their address books. It has denied claims that it hacks members' accounts or accesses their emails without permission, and believes the lawsuit is without merit.

Topics: Security, Privacy, Social Enterprise

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.