I don't think I've ever gagged quite like that while reading a technical article describing a "neat hack".
At first I'm thinking, oh, I wonder how they convinced Apple to let them use some private APIs, and then... curiosity turns to revulsion as soon as I saw that proxy diagram. Good god... LinkedIn MITM IMAP. That is truly terrifying.
How would you even go about installing that on the user's phone? Oh, that's in there too... they ship a 'configuration profile' which adds a new email account, so your password is leaving the device in cleartext and being used to create the profile server-side which is then shipped back to the phone and installed, how exactly?
This just gets worse and worse if I understand correctly... I'm surprised that configuration profiles can be shipped to an arbitrary device from a third party this way without the user manually installing LinkedIn's certificate as trusted. In other words, it should be a lot harder to "Accept" these profiles outside an enterprise setting, because it sounds exploitable. What else can you configure "so easily" I wonder?
Then you get into how they are hacking CSS and iframes into the email body, to substitute for Javascript, and actually create a workable user interface. Now this is fascinating, impressive, and deserves further study... Without fully understanding exactly what they are doing, however, it sounds highly abusive of the Mail app's rendering capabilities, and points to exploitable paths within the Mail app that probably need to be tightened up by Apple. If LinkedIn can make an email "act" like that without any opt-in on my part, how would Mallory use the same "feature" in their latest SPAM campaign?
<s>Thanks LinkedIn... really, I'm impressed. When exactly did Walter Bishop start working for you?</s>
P.S. I look forward to following your pending class-action lawsuit for violation of US federal wiretapping laws. Cheers!
It's funny, I read all through that with my rose tinted glasses thinking they'd created a local IMAP server on the phone, which would have been clever (and, I think, doable)... in fact I was running this perception until
"Our proxy server is written in Ruby using EventMachine, which allows it to efficiently handle many concurrent IMAP connections"
And I thought, why the heck would one phone be issuing so many concurrent IMAP connections. Oh my naiveté.
"[iOS 7] opens many IMAP connections at once for searching each folder concurrently. We’re not sure on the upper bound on the number of connections it will make, but saw at least 10 in one case."
I tend to agree that no sane person with minimal technical knowledge would balk at this.
I already know that Yahoo! sells the email addresses of the people I exchange even one email with to LinkedIn and I am repulsed by this. LI then turns around and offers them as connections. I should note I am always logged out from LI to prevent even more evil from them. LI is just evil and should be eradicated.
I highly doubt Yahoo is selling your e-mail contacts to LI. Do you have any proof or citations? I suspect either you authorized LI in the past (and forgot it's still authorized), or your contacts have authorized LI so it's pulling in their e-mails with you, not yours.
I think you might be forgetting that by e-mailing said person, you become part of their contacts too. Should that person decide to import or sync their contacts in linkedin, a relationship between you and that person is established on their server. ie: it's an _undirected_ edge between you and your contact, which they seem to use to display stuff back to you.
These "social" big data companies have a history of doing evil (or sometimes, stepping right up to that line) and $LKND certainly isn't in business to be altruistic.
I thank you for providing examples that prove my point. :) That's mostly speculation along the lines of "evil could have been done, therefore evil must have been done".
Where in the blog post does it say that your credentials are leaving the device in clear text. I know people don't like LinkedIn but I don't think even they would be dumb enough to do this over http.
How are they going to log in to your email account to MITM it, exactly, other than sending your password in cleartext to them? I'm not saying the connection itself is cleartext, but that they will be storing your email password in cleartext(!) to access your account at your email provider...
I think "your password is sent to LinkedIn" sufficiently and accurately describes what's happening. Adding "in cleartext" typically means via an unencrypted channel. Think about. Think about it. Every time you login into a website via password, your browser sends the password to the server. We don't usually call that out for being in plaintext, unless it really is using http.
I think what they're getting at is that LinkedIn has a plaintext copy of your email password, not necessarily that it got there via some unencrypted channel. And because LinkedIn needs to be able to log in again, it has to store it in plaintext, which then leads to the possibility of another incident where they leak millions of passwords[0].
It doesn't actually need to store it to log in again. The next time your phone connects to linkedin's proxy, it will provide the password again. Yes, this is basically the same as omnipresent, but not quite. If the servers are confiscated/stolen in a powered down state, the passwords aren't there to recover. You can immediately limit your exposure by not using the service. There are no backup tapes to accidentally go missing.
Also, while rare, the client could theoretically be using something like kerberos to authenticate, even over tls. The password exchange is secret, but the data contents would not be. I don't think the iphone supports kerberos, though.
(All this is not proof that they aren't your storing password, just that it's feasible for linkedin to merely pass it through. And possible, though not probable, for them to never even see the password.)
I was just musing hypothetically, but can you elaborate on why this is bad? Surely sending an encoded password is better than a non-encoded one, and in a worst case only as bad as sending a cleartext password (i.e. what happens now).
I don't think I was proposing not using TLS, just that if you interpret sending cleartext password over TLS as "plain-text" then sending it encoded over TLS sounds better.
Well, if you hash your password client-side, what's the difference from using clear text? A MITM will intercept your hashed password and use that to login.
It's a good idea IMO, I don't understand why it gets so much flak. A server who doesn't want to know your secret is more trustworthy than one that does, a MITM might be able to hijack your account but he won't see your favourite password and you don't have to trust that the server is hashing the password at their end.
To avoid the "hash is a plaintext password" problem you save double-hashed passwords to your database, once in the browser and once on the back-end, twice on the back-end if JavaScript was disabled in your user-agent.
Of course that doesn't solve the problem above, but it still ought to be common practice.
"A server who doesn't want to know your secret is more trustworthy than one that does" - I totally agree here, in many ways that's why projects like http://openpgpjs.org/ are fundamentally MORE important that more/newer layers of centralized encryption like TLS that are fundamentally bust in that we have to blindly trust the server. yesyes, i know JS on untrusted/leaky browsers isn't totally bingo but at least someone is TRYING!
They need your cleartext pw in order to create a config profile and that's it. Why would they need to store your pw at all? Once the config profile is setup, the IMAP AUTH request gets proxied through them to the original provider and handled as normal. No need to store any pws at the proxy.
It's worth noting that they specifically state that for Gmail they can use OAuth through the refresh/access token system. Hopefully they do this for all other IMAP servers that support OAuth (there are a couple of them now).
However, for traditional IMAP/SMTP servers your point is well taken. They must store your credentials in a restorable state, which, however carefully you do, has difficult security implications.
In order to inject content into the stream, they must be able to decrypt and interpret the stream. It is not quite as simple as a traditional proxy which may not actually have to know the content it is transmitting. They must have all content you send over the stream for a short period of time in-memory in a restorable (if not plaintext) state in order to read from the client's IMAP stream, interpret, then send over the IMAP server's secure SSL stream. The short period of time over which they must keep it does not free them from the security implications. All an intruder must do is gain access, then monitor the stream. I'm not saying that this is impossible to mitigate, just that you're trusting them to do it right.
That LinkedIn not violate one of the simplest, most fundamental notions of security: never ever give your credentials to a third party.
Part of being a semi-decent citizen of the internet is also not encouraging users to give third parties their credentials
It is a neat hack. I'd love this if it was "here's how we integrate LinkedIn into our email clients internally". It is novel and it does use CSS in weird and new ways. It should also not be a shipping public product. MITM is bad shit.
To be fair, they specifically mention that they use OAuth for Gmail/GApps.
It seems like they're aware of this but it's hardly their responsibility to avoid building a hack such as this just because Google are the only provider to allow IMAP access with OAuth. If more e-mail providers would allow such authentication, I'm sure LinkedIn would be happy to extend the support.
How about "the world isn't perfect and whilst it would be great to live up to our every ideal, our primary responsibility is running a business and providing a great experience for our users who, ultimately, in the vast majority regularly engage in such egregious violations of sensible security protocol that most-anything we do is unlikely to affect them and in cases where it would, said users are usually sufficiently literate to wish to avoid this anyway".
There is nothing new about this. Putting a proxy into to modify content is as old as the usage of tcp proxies. What is new here is that they have no shame -- I don't expect software from a reputed company to pipe my email through their servers.
To play the devil's advocate, how is this any different morally from what Gmail (and Outlook, and Yahoo) do with their external emails feature? In each case, you give them the credentials for your other account, they pull the mail and display it in their interface (which, presumably, adds some new features that doesn't exist in the other account. Like conversations and tags.) LinkedIn is doing pretty much the same thing.
Everything they do differently is irrelevant as long as the user is asking them to do those things. If Gmail starts showing me fetish porn that's bad, if a fetish porn site does the same thing it's fine.
The only relevant difference is security/privacy, in which Google may be more trustworthy but even that is debatable, regardless of which side of the debate you land on.
Nerd outrage hyperbole much? This is an OPT IN service. You know, only for people who WANT to use it? If it causes you this degree of apoplexy, you are in luck: you don't have to use it.
This service shouldn't exist. It breaks the very concept of email security. They're marketing it as though it's safe. Want hyperbole? Imagine Bayer marketing heroin as safe because you know, it's opt-in.
Why the hell not? Heroin from Bayer would not have the quality control issues Heroin typically has.
It only becomes problematic when you consider that the user is getting themselves into a situation that they do not fully understand and potentially cannot easily back themselves out of.
With drugs that have a high potential to cause harm, we typically force the consumer to consult a professional before allowing them to proceed. Tech is still in the era of patent medicines.
I understand the opinion, but I don't understand the sudden outrage.
LI, Google and Facebook have always wanted your third-party email credentials for Friend Finder-style features. The only difference is that this time we cannot even hope that they delete them after logging in once. Security-wise, it's all the same.
Right, so I should be ok about a company that recently lost 7 million passwords that were 'encrypted' using only SHA1, suddenly getting access to a whole raft more passwords?
Access to this many passwords is a threat even if my password is not one of them.
Finally, it may be opt in, but are they going to explain to the user that they get to keep a password for an account to which they have no legitimate right?
That's not quite true, in that all the emails I send to people who have opted in are now available to LinkedIn. You have no way of totally opting out without encrypting all your email.
For all you know, I (or anyone else you email) could have a simple "forward all email to [email protected]" filter running. If you don't want the second party to share your email with a third party, don't send the second party an email.
Like your average user is going to know the implications of opting into this service.
I doubt they have a warning when you install this "This is going to let us read all your emails AND the emails of people who communicate with you (without their consent)
...oh yes, and get your username / password for your email accounts"
And if I am communicating with someone who installed this hack then I certainly didn't opt-in.
It's only opt-in for the end user. If it were really opt-in, it would be opt-in for the ___domain owners and/or the email providers. Come to think of it, I wouldn't have an issue with this, and it might be worth it for recruiters who use LinkedIn for everything (and in my opinion are doing it wrong).
How are they handling attachments? Are my attachments going through their proxy? Can they see them? What if their servers are down? What if their servers are hacked more easily than some other allowing for all mail passing to be slurped?
I'm curious: given the negativity of the comments why does the post have so many upvotes?
Do people find the technical details interesting despite the privacy concerns?
Either way, congrats to Martin, Sam and others on the launch. Getting something out the door to such a wide audience after working on it for over a year must be quite a challenge.
I think people decided that this was something worth discussing. A lot of times I won't necessarily agree with or like the post that I'm upvoting, but I upvote it so that it gets more visibility and then I can read other people's opinions and analysis of the thing at hand.
Next thing: store your S/Mime private keys on linked in servers to enable the feature also for encrypted mails...
I think LinkedIn should not offer every feature that's technically possible. Things should stay within reason, and some things should not be offered, especially not to non-savvy users.
"I'm surprised that configuration profiles can be shipped to an arbitrary device from a third party this way without the user manually installing LinkedIn's certificate as trusted."
The user has to install the profile as trusted. There is no mechanism for auto installing a profile. Similar to TestFlight and the profile you install to use that.
The value for LinkedIn to vacuum up my email is immense! They'll know everyone I email and the content of the emails as well. They'll know where I shop and what I purchase. If I send a private email to a friend who has this installed, I've now unknowingly bcc'ed LinkedIn. Not only that, but they know this for the entire history of my email account! The person I stopped emailing 7 years ago... LinkedIn has access to that as well.
But in this case I don't think the value prop for the user is big enough to make me overcome this large of an ask.
I appreciate LinkedIn addressing this in their Privacy Pledge, but so long as they retain the right to change it at any time, I'm too uncomfortable to install this. But, I'm still in awe of the creative work-around. :)
Thanks for this comment, nostromo. You've managed to address privacy problems with the Linkedin Intro while praising the technical solution. This is a great example of constructive criticism that I, for one, would like to see more on HN. Constant raging decreases the efficiency of knowledge transfer and community building.
Maybe one such comment / thread would be enough to significantly increase quality of a discussion.
My sarcasm processing engine had a coredump. I have no idea who is sincere anymore in this thread. Please turn on sarcasm tags so I should know whether to agree/disagree, be pissed, etc.
We need to have user-generated labels attached to comments: sarcastic, flamebait, ___domain expert, etc. And then go even more meta and have algorithmically and/or privileged users affirm the label. Lets throw in some labels for common cognitive biases, statistical errors, logical fallacies and eagerly slap them on all popular offending comments. And then go all in on multivariate testing of mutations of algorithms optimizing for best (your definition may very) discourse.
If such thing would happen and became popular, someone-is-wrong-on-the-internet crowd would be puking rainbows all day long.
I guess it is a question of time this becoming feasible.
Maybe we should be discussing Apple's closed-ass OS instead of harping on the only workaround that could possibly exist. Such "creative" measures wouldn't need to be taken if it was simple for a user to augment their email app.
> if it was simple for a user to augment their email app
You don't really think it's ever "simple" for a user to augment their email app?
Plugins are hard to implement on both ends, and they complicate otherwise simple apps. Open source is also hard, because every codebase is different in many and often unpredictable ways from others. Not even an experienced programmer would always be able to crack open the source to a mobile email client and make this sort of modification.
You can't really expect a mobile email client to allow third parties to add their own extensions to it.
If they were that fussed they could have tried to make a clone of a email client and integrate their own features. If it was better than the default client, people would use it (I use Sparrow on my iPhone for email, not touched the default Mail app for years)
You know how hard it is to get people to migrate from something as ingrained as an email app? Even a great client will suffer from the migration pain.
And to respond to criticisms of "plugin dev difficulty," that's bs. Browser clients have a world more complication when it comes to supporting a plugin environment, and they make it work just fine.
No, they don't, and you keep posting that they do despite being proven wrong several times in the past. They lost hashed passwords which are not user credentials.
> No, they don't, and you keep posting that they do despite being proven wrong several times in the past.
You must have me confused with someone else.
> They lost hashed passwords which are not user credentials.
While you may be technically correct about credentials vs. hashed passwords, that distinction isn't relevant here. Losing hashed but unsalted passwords is still just as harmful.
> They lost hashed passwords which are not user credentials.
These passwords were unsalted sha1, that's about as good as rot13. Linkedin has clearly proved completely unable to do things correctly, if that applies to passwords it applies to everything else.
You do realize that cracking unsalted SHA1 passwords isn't that hard, right? Perhaps you should educate yourself on the wonderful world of GPU password cracking and the enormous speeds a handful of consumer-grade video cards working in concert can utterly smash through a database like this.
edit: Here's a blog post about being able to brute force 33.1 billion MD5 hashes a second using GPU's: http://blog.zorinaq.com/?e=43
Couldn't agree more, not just because of the possible security implications, but also because it can seriously back-fire against you, in terms of potentially damaging your reputation.
A closely related example would be of a web app I stumbled upon recently via an unexpected email I received in my LinkedIn inbox about a new educational platform that supposedly one of my contacts was recommending me to try. Curious and suspicious, I opened the link and clicked on 'connect with LinkedIn'. In small script, the app was requiring me to authorize it to send emails on my behalf, which is exactly the case of the original unsolicited message I had received: another unsuspecting user just glossed over the terms and connected their LinkedIn account to this app....resulting in all of their contacts being spammed with the message. The 'victim' was displeased to say the least when I warned them what their account was doing without their knowledge.
Had I not been careful about that and proceeded to authorize the app, I would've most likely been booted off at least a few people's contact lists for spamming them with such stuff irrelevant to their interests.
If you think about the reach Linked in has, combine that with each contact the linked in user has and you have a very fast database of emails that can be misused.
If you look at one of LinkedIn's alternate applications, LinkedIn Contacts, http://contacts.linkedin.com/ it actually is a light-weight CRM application. The CRM meaning, it automatically connects to your email and calendar to your LinkedIn account to know when and how you are interfacing with people. I get a daily email with the meetings that I had the day before about who I met, as well as information on their LI profile about the last email conversation I had with them. This is super nice if you meet a bunch of people and need a way to take notes on who they are and what they are doing, independent of their business card.
The contacts application also sends things like reminders for your contacts work anniversaries or when they change positions (something that you can't access in the LI API).
I sometimes think that I shouldn't be giving LI all of this information, but this is a typical case where the benefit received is greater than my privacy concerns.
Isn't that the whole point of Rapportive? They're the only company I can think of that has successfully solved the "social profile matching" problem that I can think of off the top of my head.
This is essentially a mitm attack. I am amazed that a company the size of LinkedIn would think that this is in any way appropriate. These are the tricks of spammers and cyber criminals. This is what LinkedIn has become.
Will customers be explicitly told that all of their emails will be going through and stored on LinkedIn servers? I doubt it. I do envision a dialog box along the lines of "Click Here to make your experience better". Sadly people will click without realizing the implications.
The "attack" part of "man in the middle attack" refers to the fact that it is done secretly and generally with ill intentions. LinkedIn is not being secretive (and we can speculate about their intentions). If everything that's in the middle of something is a man in the middle attack, then that would include your home router.
I work in enterprise information security, and my team agreed upon hearing this news that if this was used on our email system, we would consider it a MITM attack. Whether or not the end user opted in, the corporation did not.
So, in the context of use in environments where your email address is not fully owned by you, attack would be a valid word. Otherwise, I agree that it's a MITM but not an attack.
I appreciate the data point, but I must admit that sounds very unreasonable, unless you're considering the employer as the attacker. Would the same apply if an employee were using a VPN at work?
We do block VPN on our corporate network, yes. A VPN is a tunnel that hides user activity from our monitoring and DLP tools and use of VPN from our network to the outside is against policy. Likewise, sharing your credentials with a third party is against policy.
The attacker is LinkedIn. The employee is the attack vector. LinkedIn is engaging in a phishing attack.
You didn't explicitly answer whether you consider VPN usage to be a man in the middle attack. I understand banning it (as well as this LinkedIn feature) on a corporate network, but not considering either a man in the middle attack.
VPN is a tunnel, not a MITM. It's used to bypass our monitoring and filtering. You're tunneling out of our network into someone else's, which may have more favorable rules.
This is a MITM, because LinkedIn is intercepting and modifying the traffic between the email server and the client machine, traffic which is supposed to only be read by the recipient. A VPN isn't intercepting traffic, it's used to tunnel traffic. LinkedIn is positioning themselves directly between the traffic source and the destination to read and modify the transmission.
No, in the same way we don't fire people for getting viruses on their computer. Without a reason to believe the action was intentionally designed to cause harm to the business, like cstrat said, education is the best way to handle it. It would be hard to prove malicious intent in a case like this. LinkedIn would be attacking us, the user would just be an attack vector. It's akin to getting phished.
I agree, and I think the major email providers should block it. Maybe Google can just cut off their API access and stop using LinkedIn for recruiting. That ought to get their attention.
Given that a lot of users are technically unaware of what they are doing, it would be akin to firing someone for falling for one of those pop ups that offers to do a free virus scan. If you are a pharmaceutical sales rep and you read that LI blog post, you probably think it is perfectly safe...
I would think the responsibility falls back onto IT to educate users - and to block connections from LI to the mail server.
I do think LinkedIn has ill intentions. In my opinion, their intentions are to collect, analyze, and ultimately profit from their user's email data. All under the guise of offering some marginal benefit.
But you do have to take into account the context of what they are doing. Yes on a technical scale it is similar to a mitm attack, and yes in theory they do have access to your email content, but I don't think that by using an interesting trick to add a useful feature should put them in the same category as sleazy hackers secretly trying to steal your credit cards and such.
Does it matter? They are purposefully inserting themselves into a stream of information which they largely have no business being a party to.
If (when?) this proxy service is compromised are they willing to be accountable for any information which leaks? I can't imagine wanting to even take on this risk (maybe I'm too conservative).
Edit: I just want to add - yes, it's interesting. Yes, it's sleazy.
There is a saying you may have heard before, "the road to Hell is paved with good intentions." Intent doesn't matter at all, because someone will inevitably figure out a) how, and b) why to take advantage of it for nefarious purposes.
Misleading title. Nobody did the impossible on iOS, just did clever things within the available frameworks. Well done author, it works. But did you ask yourself "should I really do this?"
What I hope is going to prove truly impossible is doing anything like this without requiring the user to explicitly accept the configuration profile. Even so I expect they will trick many into allowing "enhancement" of their email.
LinkedIn has a history of abusing email. From the early days* where they would email all of the contacts on your machine if you didn't read carefully enough to today where you can click unsubscribe many, many times and still get "important updates". It's a wretched hive of scum and recruiters, and they will never get between me and my email.
Fortunately the technical details of how to determine the user agent to block are included, along with a reference to LinkedIn's own support explaining that 'LinkedInEWS' is the value to add to the blocklist!
Technologically this is straightforward: it uses a proxy server that sits in between you and your actual mailserver.
I think the privacy concerns of having your mail (potentially) available over yet another server in exchange for modest convenience makes it unlikely that I would use this, but I'm sure many will find the trade-off acceptable and desirable.
You're doubling your surface for anything unethical, too. It not just the NSA, so it really makes no sense to take additional risk in this regards. You are adding an [or] operator, one that can lead to a complete failure mode. This is the opposite of risk diversification. Unless I'm missing something.
Yes, Google has your email, but not your credentials. A breach of your email exposes all the email you have now. Bad, yes. A breach of your credentials exposes all the email you get until you change them, and if you don't know to change them...
Before every email as yourself "if this email went public, would anyone care?" If I ever answer "yes", I don't send it. I either call or meet in person assuming we're not too remote.
Yes, I would never want them (or virtually any third party) to have the ability to access my inbox, much less stand in between my mail provider and myself.
Why would the service close? It's supported by LinkedIn and AFAIK they're not in the habit of shutting things down. This almost feels like a no-brainer for them, especially given the move to mobile devices and locked-down apps.
Edit: Have I missed the point? I'm sure LinkedIn is a little more cautious about such changes than your average newly-founded startup. This product gives them access to people emails which they can probably glean a lot of info from. They already try to get access into email accounts (username + password) via the LinkedIn webapp so in a way this is just extending that to mobile. The only reason I can imagine them shutting it down is if no-one uses it (in which case, no one will complain).
Think of it like a value proposition. Is the (dubious IMO) convenience of having Linkedin profiles in your email worth the cost of Linkedin having the content of your email? Even if they pinky-swear to never read it, don't forget that this proxy email server would be, overnight, one of the most valuable corporate espionage targets in the world.
(If yes, you should probably ditch reading email and do something more productive with your time, like picking up cans.)
Fair enough but as I tried (and obviously failed) to caveat, these are not shutdowns I really knew about. I clearly wasn't a user of those products so I didn't feel any pain when they went away.
Perhaps my claim is weak and my knowledge limited but I find it more ridiculous to claim the inevitability of a closure before a product is even being used.
NB I feel I should add that I'm not going to be a user of this product as I won't hand over email access. However, I can imagine many people who don't think the same finding it very useful.
That is an interesting note, but if the business is using Gmail (http://www.google.com/enterprise/apps/business/products.html) maybe that's because they trust Google's services. Trusting one third party doesn't imply that you trust all third parties.
Holy fucking shit Batman! Assuming I read this correctly LinkedIn will now have access to all of your emails, your email credentials, and will now have the ability to both spoof your email, and MITM all incoming mail (banking etc). I was actually impressed at some of the little hacks they found, until they dropped this on me halfway through the blog. My jaw hit the ground.
This is probably the most blatant disregard for privacy and security for the smallest possible benefit that I have ever seen. Well, next to giving LinkedIn the password to your email so that they can spam your friends and hack your account.
Everyone needs to stop using this piece of shit service. They're incompetent and malicious. LinkedIn is the Zynga of HR. I'm gonna go buy some puts.
IMO, LinkedIn has a history of enough bad business practices that it should be shunned like a pariah and treated with complete suspicion that they may have ulterior motives in designing this MITM app.
I have never joined LinkedIn and have never been interested in any position that requires an easily gamed LinkedIn profile instead of meatspace references.
Not only does it obliterate users' security but it introduces a potentially unreliable point of failure. Sometimes the hack is worse than the problem it solves. I hope they're being extremely upfront with users about how this works, not that most users will really understand the implications...
Good point re point of failure. If LinkedIn doesn't put a lot of resources into the proxy servers, mail delivery could be very slow or fail completely.
I"m still impressed with the creativity from a technical standpoint.
I'm not overly impressed by the architecture; it's basically a de luxe version of the IMAP push-proxies that were common in the early 2000s, such as Nokia Mail ( I think it was called ).
Phone <------ Proxy <----- IMAP hosts
Same problem; all your lovely lovely communications flowing through the Proxy. And your tasty credentials, too.
LinkedIn have taken the old pattern and injected some data at the Proxy point, enriched from their databases.
Even if it has a lot of resources behind it, if it experienced an outage, the end user would be unaware that their mail service is still up, and since they didn't change the settings, they wouldn't know they could remove the proxy to access their mail until the outage is resolved.
I don't understand why trusting LI with all your email is worse than trusting Google with all your email.
Sure, if you do it for your corporate email, you may be violating the rules of your employer, but that's between you and your employer, and not enough reason to keep others from using an amazingly useful service for their own personal email.
Lost in all this discussion is just how awesome Rapportive is - the desktop gmail version has concretely and significantly changed my life for the better, and that's not hyperbole. Being able to research people without leaving my inbox has saved hours of time in my life, made my communications with those people more effective, and prevented me from making at least a couple serious errors.
All that is worth the added risk, especially for my personal email. Curious: does everyone in this thread have equal outrage for those widgets that log into your email clients so that you can invite your friends?
> I don't understand why trusting LI with all your email is worse than trusting Google with all your email.
This is like trusting LI and Google with all your email. trusting any 2 parties with your email is less secure than trusting 1 party with it. This increases when only 1 of them is in the business of providing email. What is the other party's interest, and does this conflict with your trust?
So you give up your email credentials to LinkedIn and in exchange you get a little widget that tells you the name of the person who is emailing you, the company they work for, their position in the company, and some contact information? Isn't that's what the signature line is for? Seriously, don't people already setup their signature line to include all that information.
Over 500 million people trust Google with complete and indefinite access to their email. The leap from trusting no external email providers to trusting Gmail is much greater than this incremental step of trusting LinkedIn as well. The risk is similar to trusting an established company to automatically backup your emails, and smaller than trusting startups like Greplin (which rebranded and got acquired) to safeguard a dump of all your emails.
This is not to say the privacy and uptime risks are non-existent: the attack surface area is marginally increased and there is another system that could break.
Claiming LinkedIn's doing a "MITM attack on your email" is on the same level as saying "Google is Big Brother." Both statements capture an element of reality, but with an extremely alarmist bent.
With your claim, why not make your e-mail public? If you're not worried about Google -- who is already in bed with the NSA -- and you're not worried about LinkedIn -- who is proposing to proxy ALL your e-mails -- then just setup a script to auto-dump every single e-mail you get to GitHub.
Win Win! You get to act like privacy isn't a real threat, and you validate your point!
But please, don't assume that LinkedIn is universally not trusted, the same way you assume that Microsoft is universally hated.
This is a neat feature, and I'm sure that many people trust LinkedIn enough to think that the trade-off is worth it. Would you prefer to not have the choice to have access to this feature, and prevent others from having it too?
I don't see this kind of reaction when 99% of other services ask access to a third-party API. Why is this so different? Is it because they have access to emails? What makes email SO MUCH more important than any other data to be in a category of their own? I don't think you can draw a line, and it's pure subjectivity.
Surely, the service itself is not a problem. Google would do the same thing, and you would all think it's the best thing since sliced bread? Why? Because most people already trust Google with their emails (and everything else), and accept that they know everything about them.
So please, don't criticize the solution, don't blame the hack (unless you can suggest a better way to do it). The only good reason not to use it is for lack of trust for LinkedIn, and nothing else.
I've had enough of your drama-seeking behaviors, and I don't think I'm the only one. Grow up.
"Would you prefer to not have the choice to have access to this feature, and prevent others from having it too?"
Yes, I would prefer that. LinkedIn has not shown itself to be a particularly good or careful actor in the past, and now, even if I don't opt in to this, my email to people using this feature runs through LinkedIn servers. There are always third parties between me and the person I'm emailing, but as the number increases, the likelihood of compromise or failure of delivery increases.
Common socialist thinking. People on top know better, therefore they should limit the freedom of the plebs.
Consider yourself lucky that you trust Google. Otherwise, imagine how risky it would be for you to email most people!
Paranoia is a hell of a disease. Probably the mental disorder of this era. Just look at all the drama that surrounds the NSA and "privacy".
In an alternative reality, people would probably pay for companies to spread their information publicly. And you know what? I'm confident that this reality is our future.
Learn to fight for the right things. Pro-tip: it's not privacy.
> What makes email SO MUCH more important than any other data to be in a category of their own?
The fact that email has become the de-facto master password for our online lives. If an attacker has my github password, they can push shitty code and write messages that I can roll back on the next day. If they have my email credentials, they can take over most of my online accounts anywhere.
Apart from actually giving them the power to slip-stream their content into your messages, how is this different (access-wise) to what people have granted to the email-management app Mailbox? Seems like in both cases, you're handing control of your inbox content over to an additional 3rd party unnecessarily.
According to "Pledge of Privacy"[1], no. It seems they will also modify your outgoing mail to remove the profile info.
So in addition to reading your incoming mail they can also modify your outgoing mail as well.
Suppose that user B gets mail from A, then forwards it to C. I'd see why this could be valuable info. for a company like this (and also has a high potential for abuse).
Wow, it even says right there that if you forward or reply via a different account, the full content remains in the message (of course!). I'd imagine the same thing would happen if you moved the message from a folder in one imap account to a folder in another imap account. Nice.
My initial reaction to this blog post was basically revulsion on a gut level, but the more I think about it, the more my revulsion becomes justified on a rational level.
So there's a nontrivial chance that if I'm connected to someone in LinkedIn whose profile is "private", then if I forward a message from him (containing this LinkedIn flair) to some third party (who is not connected to him), then I could expose his profile details to the third party? That's a privacy lawsuit just waiting to happen.
Every time I get an email from LinkedIn with updates on private profiles of people I am connected to I could forward that email to anyone, is that a privacy lawsuit waiting to happen too?
It took me a moment to understand what you're saying, which (correct me if I'm wrong) is that they could just forward the credentials along to the imap server they're proxying for, and not store those credentials themselves.
However, in 2013 it should be clear that it is no way whatsoever safe to just assume that information flowing through a third party's server will not be stored.
Anyone can send email as anyone else anyway. That lack of security is inherent in the way email currently works. Not sure I see how giving IMAP access makes things worse since IMAP doesn't have a mechanism for sending messages.
I would also hope they're not storing passwords in plaintext. Obviously they need access to the plaintext password to auth with your mail server, but I would hope this is still stored encrypted.
Which is why the key should be physically given to the system when it is started and then only stored in memory. The key file should not be available on any network-attached machine. Of course there's still potential for exploits in this scenario, but it does help minimize the attack surface.
Proxy to return a header in your email. CSS to render the content upon click. IFrame to update content so it doesn't get cached.
Cute web hacks. I don't understand the problem with simply using their mobile app if you were really looking for work.
It sounds like an unnecessary feature for people who are looking and an annoyance to people who are not. That seems to be the problem of Linked In. They harass those who are working with vague and misplaced job requests in an attempt to expand their reach.
I don't think it is designed for people "looking for work". It seems to be built for business development. For example, an email like: "Hey, we met at a conference last month, just wanted to follow up..." - now you can see who they are, where they work, a profile picture to jog your memory and quickly connect - all from your email client. Very similar to what Rapportive did for Gmail.
That's actually a good point. I never would think to use Linked in as a business card. I usually would just write, "Hey it's me from that place we met."
Here's the thing though, whenever I send an email like that to someone I always include my LinkedIn profile for them to check out, which would redirect to the app on their phone. Personally, it does seem a bit unnecessary to include this feature.
This thread is a great example of filter-bubble thinking.
There is a trade-off between security and features here, and while for some people it'll be worth it for others it won't.
The majority of posters here are likely developers/technical people for who the features aren't that important and for who security is a much higher priority (because they're thinking about it from a personal email perspective rather than a professional email perspective).
For people working in bizdev, sales, recruitment, etc. their equation is completely different. This delivers them high-value (being able to close more deals faster) with a relatively lower security trade-off.
Their professional email account is likely already hooked into their CRM, email analytics, backup service, audit and archiving services, address book services, etc. Their PA and corporate IT likely has access to their email as well. Adding Linkedin is just one more service from a company they already trust with highly confidential information (leads, Linkedin inbox mails, etc.)
(incidentally I'm guessing a lot of HN users probably have half a dozen chrome extensions for SEO, screen grabbing, debugging, etc. from unverified sources which have access to far more information than just your email credentials)
How technical or not you are has nothing to do with how much you care about the security of your email. LI is just hoping that they'll gain trust by being open about their process because they're counting on that "transparency" to help people feel comfortable about installing it.
This is cool. I'm a little concerned that what they've done expose some security holes in the iPhone mail client. And, all of this work will be for naught when Apples fixes those.
(Specifically, iframes in emails have been stripped from most modern email clients for years)
Yeah, I'm pretty shocked that iframes work at all.
Spammers could very, very easily abuse this. Send a valid-looking e-mail, then swap out the iframe content with something spammy once they've all been delivered.
> A little-known fact about CSS on Mobile Safari: in certain circumstances, tapping a link once simulates a :hover state on that link, and tapping it twice has the effect of a click.
I have noticed that on websites that clearly don't intend that behavior, and it's quite annoying. Does anyone have any details about the exact circumstances required for this phenomenon?
This is Apple trying (and IMO succeeding admirably) to handle hover navigation in a touch environment. The alternative is to be totally accurate and never fire a hover or mouse event--thereby breaking many site navs completely.
Hover navs are a usability problem and should never have been built in the first place. Computer OS and application developers figured that out years ago but for some reason web developers never got the memo.
Despite the privacy concern everyone is warring about, it is a beautiful integration. Technology is supposed to make life easier, not harder. Since Apple didn't open the door, someone else will ended up doing it. I am sure an open source solution with own proxy + LinkedIn api will work as well. That should take away the privacy concern.
Now you have 220,000,000 LinkedIn users all running their email traffic through LinkedIn's proxy. I'm sure they have the bandwidth and CPU to handle that.
We're talking about mail. There's an equal distribution of users across many IMAP servers, most run by companies like Google and Microsoft that can handle the flow. Now we're redirecting all inbound mail traffic through exactly one host.
I see a lot of people (understandably) getting upset about the MITM aspect of this. But almost as surprising to me was the fact that you can load an iframe in an email with apparently no warning or notification to the user. This seems like its asking for exploitation, even without the ability to run JavaScript.
Even if we disregard the privacy concerns and trust the third party with our inbox, I can't help imagining the consequences of a quiet compromise of their proxy service.
I would only say that it is a violation of trust if they somehow installed the certificate on your phone when installing the linkedIn app...
If a user knowingly installs this, with the understanding that linkedin is essentially a proxy for their entire email ecosystem - then they are knowingly trusting linkedin.
To be honest, I can see this being used by sales reps. They are often interested in connecting to people and understanding peoples backgrounds. They also move quite freely between organisations, and don't have a religious tie to their email and/or privacy (in the sense of their corporate email privacy).
1) Your average user has no idea what an iOS cert is doing.
2) Your average IT department in any publicly traded company would NEVER let this fly.
3) Any general council would shat all over this. No one likes fighting with lawyers, and this is a battle I'd never put on my plate.
It's odd to assume generic users understands IMAP or what a proxy is. Remember how Apple makes products for dumb people? Yeah. They ran a campaign on that.
On top of all of this, they have a "if you're a Google Apps admin" section where the only way to block it is to disable ALL OAuth applications.
No self-respecting CTO/CIO would let this occur in an organization they hope to responsibly grow.
You are correct. I guess it all comes down to how transparent Linkedin are with the users installing this stuff.
Will they disclose to the user exactly how this works like in their blog post - or will they obfuscate the whole activity and represent something else to the user.
Which parts would Apple have an issue with? The proxy server is the only part I can think of. Using images, CSS, and iframes in Mail is presumably a very deliberate feature.
I doubt they intended something like this to be possible, but what remains to see is whether or not they'll be OK with it. I wouldn't be surprised if Apple disabled :hover and other interactive CSS features within Mail.app in a future update.
Apple has blocked apps for a lot less than providing a feature that intercepts users' email and email password to circumvent Apple's own sandboxing and inject content into their mailbox...
Apple could yank the certificate that LinkedIn is using for configuration profiles, which would make installation significantly more difficult for the average user.
Uhm... Apple doesn't whitelist nor blacklist services -- read: TCP connections to whoever you want. LinkedIn, in this case, is well within Apple's TOS/EULA.
I think you're confused about the policies on their app store.
I am speechless. This is like the Facebook Android "hack" of the VM to support their crappy app wanting to use lots of classes, only this one is less offensive technically and more offensive from the security point of view. WTF.
"an IMAP client may assume that the message will never change"
I burst out in laughter at that point. Yeah, that silly presumptuous email client assuming an email is some kind of text message that doesn't change every time you read it!
I think it's a fairly well implemented hack.
One question: does the iPhone mail client load the contents of iframes by default? Don't these clients typically not load remote content like images?
I believe this is somewhat a defensive tactics. Let's write a sugar-flavored article about how neat their hack is before someone said "wait a minute! WTF?!".
To all those who consider this a cool hack - it's not. It's ugly as hell. Sometimes you need to do this kind of shit to get the job done, it's true, but you know this is kind of thing that you look at after couple of month and think "Oh God, I should get a another job. They shouldn't force me to create THIS. Oh God, I feel so miserable.".
A privacy pledge, how cute! The problem with stuff like this is not knowing the third, fouth, and fifth party uses. Granted most user's don't read these disclosure and even more don't have the technical aspects of how this works. But even if you're ok with one big evil company have access to your inbox, allowing two just seems crazy. What happens when LinkedIn think of a cool way to use your emails from five years ago? By cool I of course mean horrifying.
This is a really cool hack but I would never hand over my email creds to someone like LinkedIn after their history with emails. They might decide one day to "help" you by inviting everyone you have emailed or has emailed you or they could start added a "Connect With Josh" link to the bottom of my outgoing emails that links to my LinkedIn.
Again, VERY cool how they did it but it requires quite a bit trust in a company that I don't find very trustworthy.
When we first built Rapportive for Gmail, people thought that we were crazy — writing a browser extension that modified the Gmail page on the fly, effectively writing an application inside someone else’s application! But it turned out to be a great success, and many others have since followed our footsteps and written browser extensions for Gmail.
The author is being a bit arrogant, there are more complex stuff that modifying gmail on the fly (remember greasemonkey?).
It is horrible but there is little you can do to stop this trend: Most online services do not want that users can undo decisions and the vast majority will be okay with that. Ever wanted to correct a post on facebook?
I've been talking to a number of startups whose products hinge on access to a user's email inbox. Now here is LinkedIn doing this too. This trend is kind of disturbing to me, I can't really imagine a future where most of the services I use require access to all of my personal e-mail. It's quite scary.
LinkedIn is a public company whose product is actually very simple and whose maintenance and improvement does not really require the number of employees they have. Initiatives like this spawn from boredom in that kind of environment, because the product slack goes all the way up the chain.
The Iron Law[1] says that the programmers are going to be bored, the product managers and creatives with input will approve and shepherd the product out of boredom, and the management who launches it will do so out of boredom, all in their own interests.
Yes. Users with friends, an activity feed, and job classifieds are all solved problems that many underemployed web developers could throw a prototype together in weeks or a few months. Tack on that pointless skills voting junk and webboards as desired. Did I miss anything?
The fact that they have stockholders means they always have to do something: Google and driverless cars, Musk going to Mars, Facebook going phone...this IMAP hijacking is LinkedIn's current something that they have to come up with to have a story to tell investors so that they don't think LinkedIn is "stagnating."
Does this mean that for a simple email : See you in 5 minutes or Let's go to lunch , ... it would actually download a full Linkedin profile with it ? (Hidden with the CSS, but still downloaded). If so, it seems to be wasteful.
All the privacy issues it raises are already discussed.
I often wish there was a good way to do email "apps" like this without giving away the keys to the castle.
I'm just not comfortable giving my email credentials out when access to my email is effectively a skeleton key for the rest of my accounts via password resets.
As right as everyone is about how insecure this is, it's a fun exercise to imagine how different the public response to this would be if it were one person's hack project using self-hosted proxy. The hacks employed here are really cool.
Retitle this post as "Major security flaws in iOS" and you've done something brilliant. Intro is malware, plain and simple, but this post has exposed some serious holes in Apple's security which will hopefully be fixed ASAP
Privacy issues aside, have we really set the bar this low on what is or isn't technically "impossible"? Because if so, that's terribly sad and as an industry we should all be ashamed.
This should be extractable by "algorithms" these days: "Our key insight was this: we cannot extend the mail client, but we can add information to the messages themselves"
What a disgusting group of bottom-feeders LinkedIn has become. Question is: if I install this unwittingly and they do something to my email server side later-on (not that they have been accused of other vaguely unethical things) how much are they protected by the EULA?
FYI, in the state of NJ, not even your employer has the right to do many things with your work email. They recently decided this. I would love to the impending lawsuit with LinkedIn for similar reasons, but just for advertising.
Looks to me like Apple has some security to tighten up. I definitely don't think you should be able to do most of this stuff, but you can't really fault LinkedIn I don't think. They made something that adds value to their product and it got approved by Apple. Either way, the hacks are cool ones and I'm glad Linked-in did this write up. Keep 'em coming.
There is really no Apple approval to be given or not given here. It is really just creating a new email account. There is no real way that Apple could stop them from doing this if they wanted to. It is up to you if you tell linkedin your email credentials. I would certainly not recommend it, even without their track record.
The iPhone Mail app allows embedded CSS right? I mean, why not solve this for all mobile devices by adding the top bar to all emails, marking it display: none; and using media queries to show it if it's a mobile resolution?
Also, pretty sure the :hover state touch interaction is something anyone who's done any kind of mobile web development knows about.
While I can't see the security-conscious user liking this, the CSS tricks could be a great tool in the bag of a company that wants to send actionable notifications or newsletters--either the giants like twitter, or SaSS tools like http://iterable.com/.
A private self-hosted version of this wouldn't be that bad. Imagine that you write the same proxy, and it injects data grabbed from the various API's its hooked up to.
This. The tech described is pretty neat... Give you my email creds? Hell no. But _I_ could do all that myself. I think that would be one way that linkedin could save this - release an easy to set up open source version, say one click to a heroku instance or something. Then one could add all sorts of smart stuff into their own emails.
Agreed. Imagine if you could have other providers snap into this? It's a shame that they're hacking their way around Apple's walled garden, but a self hosted proxy server is a nifty way to add functionality to email.
For some weird reason (having dealt with newsletter projects), manipulating the html through the IMAP services was the first thing i could think of.
But i wouldn't do that, because this way, you can intercept all messages that people are mailing and it would harm your business image (at least, in my eyes).
There is definitely not much value here for risk involved (handing out your credentials to a 3rd party). Although interesting, the hack seems pretty straight forward. I wonder if they had to do something more complex for 2-face authentication enabled accounts (gmail) or that is not supported?
Interesting hack. So since you inject that social info at the time of the email, that means if someone gets a new job, it will still show the old employer info / position in the older emails... right? What made you guys do this instead of your own mail app like Mailbox?
Certainly an interesting workaround. I'm not that familiar with iOS development, so could someone explain what technical reasons there might be for running a remote imap proxy server to do the message modifications rather than a local (on device) one?
There are some really neat technical stuff at linkedin, it's just a shame the site is a pile of spamming shit. If they overhauled it and got rid of all the annoying things then it would actually be decent.
I want to see a documentary showing how such a feature was conceived, greenlighted, implemented, and ultimately released without someone pulling the plug.
This is a game changer. Love this idea, and also would love to see other big social networks using the same technology to make our mail more interactive.
I'd be very surprised, because you can't configure the app to use a particular IMAP server. You just give it your username and password and it does the rest.
it will probably "work" as they are abusing the network (it will probably screw up VPN configs) to hijack all imap calls. unless the gmail app uses regular http endpoints... which it probably does.
This seems very very very brittle.
Some over compensating product asshat managed to convince their code monkeys into building something that will probably break easily not to mention security concerns with giving them your mailbox access.
At first I'm thinking, oh, I wonder how they convinced Apple to let them use some private APIs, and then... curiosity turns to revulsion as soon as I saw that proxy diagram. Good god... LinkedIn MITM IMAP. That is truly terrifying.
How would you even go about installing that on the user's phone? Oh, that's in there too... they ship a 'configuration profile' which adds a new email account, so your password is leaving the device in cleartext and being used to create the profile server-side which is then shipped back to the phone and installed, how exactly?
This just gets worse and worse if I understand correctly... I'm surprised that configuration profiles can be shipped to an arbitrary device from a third party this way without the user manually installing LinkedIn's certificate as trusted. In other words, it should be a lot harder to "Accept" these profiles outside an enterprise setting, because it sounds exploitable. What else can you configure "so easily" I wonder?
Then you get into how they are hacking CSS and iframes into the email body, to substitute for Javascript, and actually create a workable user interface. Now this is fascinating, impressive, and deserves further study... Without fully understanding exactly what they are doing, however, it sounds highly abusive of the Mail app's rendering capabilities, and points to exploitable paths within the Mail app that probably need to be tightened up by Apple. If LinkedIn can make an email "act" like that without any opt-in on my part, how would Mallory use the same "feature" in their latest SPAM campaign?
<s>Thanks LinkedIn... really, I'm impressed. When exactly did Walter Bishop start working for you?</s>
P.S. I look forward to following your pending class-action lawsuit for violation of US federal wiretapping laws. Cheers!