For many professionals, LinkedIn plays an important role in their ability to network and market themselves to others, but the primary business tool of choice for just about everyone is still email. Realizing this, LinkedIn has created an app (currently only for iOS) that puts a lot more LinkedIn into your email. The app, dubbed “Intro”, is designed to provide you LinkedIn profile information (if it exists) of your recipients while you are writing your email, as well as automatically inserting an “Intro” banner that includes your profile information into every email you send. It’s this latter function that has security analysts up in arms, because in order for Intro to do its thing, it requires the user to switch their email server from the provider to LinkedIn’s own mail servers, which in turn authenticate on the user’s behalf while inserting the Intro snippet into each email as it makes its way through LinkedIn’s service. You read that right: every email you send using Intro goes through LinkedIn’s servers as well.
What this means for you:
For decades now, hackers have used a similar technology process to compromise security systems: the “Man in the Middle” attack basically tricks a computer into sending information to an alternate destination, which then forwards on the information to the intended destination, all the while pretending to be the original sender, with neither endpoint being the wiser. In this manner, the “man” in question is able to collect any information passing between the two points, including passwords and other sensitive information. Obviously, LinkedIn’s Intro app is purposefully inserted into the middle of a user’s email by the user himself, but the principle remains the same, and, at minimum, complicates security. Think of it as an email “love triangle.”
On top of this concern, security analysts have already figured out a way to spoof the information Intro inserts into your emails, essentially “weaponizing” Intro’s banner to carry any sort of payload the hacker would like, including links to hijacked websites. Imagine if you sent your client an email with a compromised LinkedIn Intro banner that led to them getting infected and their information destroyed by a virus. For now, I’d recommend sticking to inserting your own signatures into your email (which can include a link to your LinkedIn profile) and waiting a few months to see if LinkedIn has worked out all the security concerns in their new app.
