{"id":17305,"date":"2012-06-06T19:50:03","date_gmt":"2012-06-06T23:50:03","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-07-13T20:22:22","modified_gmt":"2021-07-14T00:22:22","slug":"bad-day-at-linkedin","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/bad-day-at-linkedin\/","title":{"rendered":"Bad Day at LinkedIn"},"content":{"rendered":"

\"BadIt’s been a bad day for LinkedIn<\/a><\/strong> (LNKD<\/a>). LinkedIn users have been the victim of two security and privacy blunders on the same day.<\/strong> First, the LinkedIn mobile app<\/strong> for iOS devices<\/a>\u00a0is sending potentially confidential private and business information to the company servers without the users’ knowledge.<\/p>\n

\"LinkedIn<\/a>Help Net Security<\/em> reports<\/a> that security researchers Yair Amit and Adi Sharabani at Skycure Security<\/a>\u00a0identified the security hole<\/strong><\/a>. According to the researchers, the security flaw involves calendar syncing which collects data from all the calendars (private and corporate) on the iOS<\/a> device.<\/p>\n

“The app doesn\u2019t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes,” the researchers point out in the article. “…this information is collected and transmitted to LinkedIn\u2019s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple\u2019s<\/a> privacy guidelines.”<\/p>\n

\"\"The first response from LinkedIn<\/strong>‘s spokeswoman Nicole Perlroth appears to minimize the issue<\/strong> and blame the users<\/strong> for the privacy breach when she told Help Net Security<\/em> that the feature is opt-in, and said nothing about whether the company will update the app that would stop this privacy snafu from happening in the future. (Looks like LinkedIn updated the App and broke it according to reviews in the Apple AppStore<\/em>) This was reinforced by Joff Redfern, Mobile Product Head at LinkedIn on the LinkedIn blog<\/a> where he also pointed out the information harvesting app is an opt-in feature. He claims that the information collected is not stored or shared<\/strong>. LinkedIn did change the LinkedIn app for Google<\/a> (GOOG<\/a>) Android so it no longer sends data from Droids to LinkedIn. There was no information in the article if LinkedIn plans to change the Apple iOS app.<\/p>\n

But wait it gets worse…<\/p>\n

LinkedIn also lost 6.5 million accounts<\/strong> today. They were however found on a Russian forum<\/strong>. LinkedIn has confirmed on their blog<\/a> that there are “compromised accounts<\/strong>.” Cameron Camp, Security Researcher at ESET<\/a>, commented<\/a> on the leak for Help Net Security<\/em>:<\/p>\n

“The difference with this hack … is that people put their REAL information about themselves<\/strong> professionally on the site not just what party they plan on attending, ala Facebook<\/a> and others …\u00a0 mess with somebody\u2019s professional profile, and you\u2019re messing with their life, and their contacts know about it.”<\/p>\n

rb-<\/strong>
\n<\/em><\/p>\n

I wrote about the value of different credentials<\/em> here<\/a> and here.<\/a><\/em><\/p>\n

I am wondering about the timing of the two security problems for Linke<\/em>dIn. Could they be related? Were <\/em>attackers using the <\/em>Apple iOS app as an attack vector? After all, we know that Apple loves to collect personal info on its customers.<\/em><\/p>\n

\"Mitt<\/a>

What happened here?<\/em><\/p><\/div>\n

Action Items:<\/strong><\/em><\/p>\n