LinkedIn’s Intro feature to a man-in-the-middle attack, the company has hit back with claims saying it considered all the security implications before rolling it out.
LinkedIn has responded to criticism over its new Intro product, stating that many things that have been said are “not correct or purely speculative”.
Last week, the company launched the service, which acts as a proxy service between a user and an email provider, intercepting emails in order to inject LinkedIn information for them.
The company’s senior manager for information security Cory Scott wrote on the company’s blog that the security team had challenged the idea internally in order to make sure it was implemented in a sound fashion.
This included bringing in an outside security firm, iSEC Partners, to audit every line of code written, ensuring that email does not persist on its servers, placing the proxy server in a separate network segment, and performing its own internal penetration tests.
Scott took particular issue with claims made by IT security firm Bishop Fox. After Intro was announced, Bishop Fox claimed that the installation of Intro changes users’ security profiles on their devices, and that such profiles could be used to “wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things”.
Scott denied these claims, saying that its profile only adds an email account that communicates with its proxy server.
Bishop Fox has made the recommendation not to introduce Intro into the work environment, and has banned it from its own devices. The company also believes that installing the feature would likely be a violation of any company policy that has a requirement for users not to share sensitive data with third parties.
LinkedIn is currently defending itself against a class-action lawsuit alleging that it breaks into the email accounts of members that upload their address books. It has denied claims that it hacks members’ accounts or accesses their emails without permission, and believes the lawsuit is without merit.