LinkedIn defends security of Intro service

As security experts liken LinkedIn's Intro feature to a man-in-the-middle attack, the company has hit back with claims saying it considered all the security implications before rolling it out.

LinkedIn has responded to criticism over its new Intro product, stating that many things that have been said are "not correct or purely speculative".

Last week, the company launched the service, which acts as a proxy service between a user and an email provider, intercepting emails in order to inject LinkedIn information for them.

The company's senior manager for information security Cory Scott wrote on the company's blog that the security team had challenged the idea internally in order to make sure it was implemented in a sound fashion.

This included bringing in an outside security firm, iSEC Partners, to audit every line of code written, ensuring that email does not persist on its servers, placing the proxy server in a separate network segment, and performing its own internal penetration tests.

Scott took particular issue with claims made by IT security firm Bishop Fox. After Intro was announced, Bishop Fox claimed that the installation of Intro changes users' security profiles on their devices, and that such profiles could be used to "wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things".

Scott denied these claims, saying that its profile only adds an email account that communicates with its proxy server.

The post continued to fall back on its Pledge of Privacy (written specifically for Intro), and its existing privacy policy when tackling the issue of how data will be handled. The pledge in particular serves to allay user concerns over privacy, and describes why or how they should be able to trust the company .

Bishop Fox has made the recommendation not to introduce Intro into the work environment, and has banned it from its own devices. The company also believes that installing the feature would likely be a violation of any company policy that has a requirement for users not to share sensitive data with third parties.

LinkedIn is currently defending itself against a class-action lawsuit alleging that it breaks into the email accounts of members that upload their address books. It has denied claims that it hacks members' accounts or accesses their emails without permission, and believes the lawsuit is without merit.

Show Comments