LinkedIn Intro? No thanks. My email security is too important

LinkedIn IntroLinkedIn wants iPhone users to sign-up for a new service called Intro. My advice? Don’t.

LinkedIn Intro extends the standard iOS Mail app in ways that Apple never intended to be possible, injecting HTML code into the top of the emails you receive so you can view someone’s LinkedIn profile alongside their message.

In a fairly self-congratulatory blog post entitled “LinkedIn Intro: Doing the Impossible on iOS”, LinkedIn engineers explain just how clever they have been.

And yes, to give them credit, from the engineering point of view it is pretty nifty. But from the security and privacy point of view it sends a shiver down my spine.

Rather than your iPhone connecting directly to your email provider’s servers (Gmail, Yahoo, etc), it will be connecting via LinkedIn’s proxy server instead - which will act as a middle-man in your email communications.

LinkedIn will then look at your email messages, and insert Intro information into each one.

The iPhone Mail app, before and after LinkedIn Intro

The iPhone Mail app, before and after LinkedIn Intro

In case you’ve forgotten, LinkedIn is the company which lost the passwords of over six million users last year.

LinkedIn also scooped up the contents of users’ iOS calendars, including sensitive information such as confidential meeting notes and call-in numbers - which they then transmitted in plain text, not encrypted.

LinkedIn is also, currently, the subject of a lawsuit alleging that they hacked into email accounts, in an attempt to mine address books.

Whether you believe that that lawsuit has merit or not, it’s clear that LinkedIn doesn’t have a spotless record when it comes to security and privacy.

I’m not suggesting that it has created LinkedIn Intro with any malicious intentions (unless you consider them injecting an advertisement for their its brand in every email malicious), but clearly security is not part of the company’s DNA - and that troubles me.

Furthermore, I find it hard to imagine any security-conscious firm being comfortable with its employees handing LinkedIn access to its emails.

And *why* do you even *need* LinkedIn Intro anyway?

If you receive a business email from someone, don’t they normally have a sig at the bottom explaining who they are, and who they work for?

What *real* advantage are you getting by having LinkedIn rifle through every email you receive? Is it just that they put it at the top of the message, rather than require you to scroll to the bottom?

The company says that you can trust them with LinkedIn Intro:

LinkedIn Intro integrates with your email, and we understand that this carries great responsibility. We respect the fact that your email may contain very personal or sensitive information, and we will do everything we can to make sure that it is safe..

Well, the first thing to do if you want to keep your very personal or sensitive information safe is to reduce the chances of a breach. Adding another link in the privacy chain which could be potentially exploited is not the direction you should be going in.

Don’t use LinkedIn Intro.

Tags: , , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

5 Responses

  1. Spryte

    October 24, 2013 at 3:39 pm #

    A few years back, in his blog, Steve Gibson posted the following comment about another company, but it applies equally to LinkedIn…

    He states that the company has no assets exept our personal information and to make mony they have to “Monetize” it.

    The complete post is available at:

    A interesting read.

    • GlassSneakers in reply to Spryte.

      October 25, 2013 at 1:19 pm #

      I’m not sticking up for LinkedIN but that’s not entirely true in there case. They monetize their platform by charging users.

      • AndyP in reply to GlassSneakers.

        October 26, 2013 at 11:42 am #

        No, LinkedIn monetize their platform by charging companies
        huge amounts of money for access to the data about users. At the
        moment this seems to be mainly for recruitment and advertising
        purposes, but with email data as well it can go way beyond

  2. Alex P

    November 1, 2013 at 5:43 pm #

    Wait, so they alter any message you *retrieve*? That means
    that even if I refuse to install this, they’ll still have
    access to any email I send to someone with this app

  3. Jim Dibb

    November 27, 2013 at 4:35 pm #

    How do you feel about the Mailbox app in this respect?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.