Security warning issued after it emerges LinkedIn app requires all emails to be re-routed through its servers

The story raised my eyebrows because of the accusation against programmers that worked at LinkedIn that they had actively bragged about developing these types of tunnelling programs, and posted about their achievements on, none other than, LinkedIn.

The app, which does nothing more than show you the profile of the person you are interacting with on email, was made available this week and appears to be part of CEO Jeff Weiner’s aggressive plans to connect people via the social network. Because people use LinkedIn to put their work and professional details onto the network, it achieves the company aim of creating the most valuable economic network in cyberspace.

The LinkedIn app, named Intro, is designed to give you a complete profile of the people you interact with via email. This requires unfettered access to your email account and requires all users to send their email through LinkedIn servers. Bishop Fox, a security consultancy firm, wrote on their blog: “Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analysing and scraping your emails for data pertaining to … whatever they feel like.”

This effectively means that by downloading and installing LinkedIn’s Intro app, you would be giving ALL of your information over to a third-party. This is because the app scrapes all of the information in the emails you are sending and also tracks who you are interacting with in order to make better recommendations to you about who to connect with.

If you already use LinkedIn, it won’t affect the web platform but using the app means that the company can now read and scan all of the emails you send and receive. If that wasn’t bad enough in the days of Snowden and the NSA, downloading the app also means you are probably breaking the terms and conditions of your employment, and if your job involves confidential messaging like law or medicine, then you are probably falling foul of legal privilege.

Bishop Fox stated: “Think about it this way. A vendor tells you they will install a device on your network that monitors all your email so they can insert their data into your emails. They’ll do this for free – except they want to have unfettered access to all your emails and mine them for information about your users. They don’t say what exactly they would store from each email, but just trust them to do the right thing.”

In order to address these concerns to update users to two things: LinkedIn does not store any user emails on its servers and email is fully encrypted. However, researchers quickly debunked this claim">, stating that LinkedIn would have to decrypt the email, add the changes it wants and then encrypt it again en route to its recipient, adding a new layer of insecurity to email in transit.

Richard Bejtlich, the chief research officer at the computer security company Mandiant, added: “The risk is that you essentially trust a box, run by LinkedIn, with your email. It’s a target for someone that wants to get to your email. All the fears people now have about e-mail — that they will be intercepted by intelligence agencies for instance — are present.”

Considering LinkedIn’s poor reputation for user privacy and security, it is amazing that they even released the app in the first place. Last year 6.5 million usernames and passwords were leaked to a Russian hacker website and the aforementioned lawsuit about email tunnelling and spamming means I wouldn’t recommend downloading the app any time.