I don't think I've ever gagged quite like that while reading a technical article describing a "neat hack".
At first I'm thinking, oh, I wonder how they convinced Apple to let them use some private APIs, and then... curiosity turns to revulsion as soon as I saw that proxy diagram. Good god... LinkedIn MITM IMAP. That is truly terrifying.
How would you even go about installing that on the user's phone? Oh, that's in there too... they ship a 'configuration profile' which adds a new email account, so your password is leaving the device in cleartext and being used to create the profile server-side which is then shipped back to the phone and installed, how exactly?
This just gets worse and worse if I understand correctly... I'm surprised that configuration profiles can be shipped to an arbitrary device from a third party this way without the user manually installing LinkedIn's certificate as trusted. In other words, it should be a lot harder to "Accept" these profiles outside an enterprise setting, because it sounds exploitable. What else can you configure "so easily" I wonder?
Then you get into how they are hacking CSS and iframes into the email body, to substitute for Javascript, and actually create a workable user interface. Now this is fascinating, impressive, and deserves further study... Without fully understanding exactly what they are doing, however, it sounds highly abusive of the Mail app's rendering capabilities, and points to exploitable paths within the Mail app that probably need to be tightened up by Apple. If LinkedIn can make an email "act" like that without any opt-in on my part, how would Mallory use the same "feature" in their latest SPAM campaign?
<s>Thanks LinkedIn... really, I'm impressed. When exactly did Walter Bishop start working for you?</s>
P.S. I look forward to following your pending class-action lawsuit for violation of US federal wiretapping laws. Cheers!
It's funny, I read all through that with my rose tinted glasses thinking they'd created a local IMAP server on the phone, which would have been clever (and, I think, doable)... in fact I was running this perception until
"Our proxy server is written in Ruby using EventMachine, which allows it to efficiently handle many concurrent IMAP connections"
And I thought, why the heck would one phone be issuing so many concurrent IMAP connections. Oh my naiveté.
I tend to agree that no sane person with minimal technical knowledge would balk at this.
I already know that Yahoo! sells the email addresses of the people I exchange even one email with to LinkedIn and I am repulsed by this. LI then turns around and offers them as connections. I should note I am always logged out from LI to prevent even more evil from them. LI is just evil and should be eradicated.
Where in the blog post does it say that your credentials are leaving the device in clear text. I know people don't like LinkedIn but I don't think even they would be dumb enough to do this over http.
Nerd outrage hyperbole much? This is an OPT IN service. You know, only for people who WANT to use it? If it causes you this degree of apoplexy, you are in luck: you don't have to use it.
How are they handling attachments? Are my attachments going through their proxy? Can they see them? What if their servers are down? What if their servers are hacked more easily than some other allowing for all mail passing to be slurped?
I'm curious: given the negativity of the comments why does the post have so many upvotes?
Do people find the technical details interesting despite the privacy concerns?
Either way, congrats to Martin, Sam and others on the launch. Getting something out the door to such a wide audience after working on it for over a year must be quite a challenge.
Next thing: store your S/Mime private keys on linked in servers to enable the feature also for encrypted mails...
I think LinkedIn should not offer every feature that's technically possible. Things should stay within reason, and some things should not be offered, especially not to non-savvy users.
"I'm surprised that configuration profiles can be shipped to an arbitrary device from a third party this way without the user manually installing LinkedIn's certificate as trusted."
The user has to install the profile as trusted. There is no mechanism for auto installing a profile. Similar to TestFlight and the profile you install to use that.
The value for LinkedIn to vacuum up my email is immense! They'll know everyone I email and the content of the emails as well. They'll know where I shop and what I purchase. If I send a private email to a friend who has this installed, I've now unknowingly bcc'ed LinkedIn. Not only that, but they know this for the entire history of my email account! The person I stopped emailing 7 years ago... LinkedIn has access to that as well.
But in this case I don't think the value prop for the user is big enough to make me overcome this large of an ask.
I appreciate LinkedIn addressing this in their Privacy Pledge, but so long as they retain the right to change it at any time, I'm too uncomfortable to install this. But, I'm still in awe of the creative work-around. :)
Thanks for this comment, nostromo. You've managed to address privacy problems with the Linkedin Intro while praising the technical solution. This is a great example of constructive criticism that I, for one, would like to see more on HN. Constant raging decreases the efficiency of knowledge transfer and community building.
Maybe one such comment / thread would be enough to significantly increase quality of a discussion.
Maybe we should be discussing Apple's closed-ass OS instead of harping on the only workaround that could possibly exist. Such "creative" measures wouldn't need to be taken if it was simple for a user to augment their email app.
Couldn't agree more, not just because of the possible security implications, but also because it can seriously back-fire against you, in terms of potentially damaging your reputation.
A closely related example would be of a web app I stumbled upon recently via an unexpected email I received in my LinkedIn inbox about a new educational platform that supposedly one of my contacts was recommending me to try. Curious and suspicious, I opened the link and clicked on 'connect with LinkedIn'. In small script, the app was requiring me to authorize it to send emails on my behalf, which is exactly the case of the original unsolicited message I had received: another unsuspecting user just glossed over the terms and connected their LinkedIn account to this app....resulting in all of their contacts being spammed with the message. The 'victim' was displeased to say the least when I warned them what their account was doing without their knowledge.
Had I not been careful about that and proceeded to authorize the app, I would've most likely been booted off at least a few people's contact lists for spamming them with such stuff irrelevant to their interests.
If you think about the reach Linked in has, combine that with each contact the linked in user has and you have a very fast database of emails that can be misused.
This is essentially a mitm attack. I am amazed that a company the size of LinkedIn would think that this is in any way appropriate. These are the tricks of spammers and cyber criminals. This is what LinkedIn has become.
Will customers be explicitly told that all of their emails will be going through and stored on LinkedIn servers? I doubt it. I do envision a dialog box along the lines of "Click Here to make your experience better". Sadly people will click without realizing the implications.
The "attack" part of "man in the middle attack" refers to the fact that it is done secretly and generally with ill intentions. LinkedIn is not being secretive (and we can speculate about their intentions). If everything that's in the middle of something is a man in the middle attack, then that would include your home router.
But you do have to take into account the context of what they are doing. Yes on a technical scale it is similar to a mitm attack, and yes in theory they do have access to your email content, but I don't think that by using an interesting trick to add a useful feature should put them in the same category as sleazy hackers secretly trying to steal your credit cards and such.
Misleading title. Nobody did the impossible on iOS, just did clever things within the available frameworks. Well done author, it works. But did you ask yourself "should I really do this?"
What I hope is going to prove truly impossible is doing anything like this without requiring the user to explicitly accept the configuration profile. Even so I expect they will trick many into allowing "enhancement" of their email.
LinkedIn has a history of abusing email. From the early days* where they would email all of the contacts on your machine if you didn't read carefully enough to today where you can click unsubscribe many, many times and still get "important updates". It's a wretched hive of scum and recruiters, and they will never get between me and my email.
Technologically this is straightforward: it uses a proxy server that sits in between you and your actual mailserver.
I think the privacy concerns of having your mail (potentially) available over yet another server in exchange for modest convenience makes it unlikely that I would use this, but I'm sure many will find the trade-off acceptable and desirable.
Holy fucking shit Batman! Assuming I read this correctly LinkedIn will now have access to all of your emails, your email credentials, and will now have the ability to both spoof your email, and MITM all incoming mail (banking etc). I was actually impressed at some of the little hacks they found, until they dropped this on me halfway through the blog. My jaw hit the ground.
This is probably the most blatant disregard for privacy and security for the smallest possible benefit that I have ever seen. Well, next to giving LinkedIn the password to your email so that they can spam your friends and hack your account.
Everyone needs to stop using this piece of shit service. They're incompetent and malicious. LinkedIn is the Zynga of HR. I'm gonna go buy some puts.
IMO, LinkedIn has a history of enough bad business practices that it should be shunned like a pariah and treated with complete suspicion that they may have ulterior motives in designing this MITM app.
I have never joined LinkedIn and have never been interested in any position that requires an easily gamed LinkedIn profile instead of meatspace references.
Not only does it obliterate users' security but it introduces a potentially unreliable point of failure. Sometimes the hack is worse than the problem it solves. I hope they're being extremely upfront with users about how this works, not that most users will really understand the implications...
I don't understand why trusting LI with all your email is worse than trusting Google with all your email.
Sure, if you do it for your corporate email, you may be violating the rules of your employer, but that's between you and your employer, and not enough reason to keep others from using an amazingly useful service for their own personal email.
Lost in all this discussion is just how awesome Rapportive is - the desktop gmail version has concretely and significantly changed my life for the better, and that's not hyperbole. Being able to research people without leaving my inbox has saved hours of time in my life, made my communications with those people more effective, and prevented me from making at least a couple serious errors.
All that is worth the added risk, especially for my personal email. Curious: does everyone in this thread have equal outrage for those widgets that log into your email clients so that you can invite your friends?
So you give up your email credentials to LinkedIn and in exchange you get a little widget that tells you the name of the person who is emailing you, the company they work for, their position in the company, and some contact information? Isn't that's what the signature line is for? Seriously, don't people already setup their signature line to include all that information.
Over 500 million people trust Google with complete and indefinite access to their email. The leap from trusting no external email providers to trusting Gmail is much greater than this incremental step of trusting LinkedIn as well. The risk is similar to trusting an established company to automatically backup your emails, and smaller than trusting startups like Greplin (which rebranded and got acquired) to safeguard a dump of all your emails.
This is not to say the privacy and uptime risks are non-existent: the attack surface area is marginally increased and there is another system that could break.
Claiming LinkedIn's doing a "MITM attack on your email" is on the same level as saying "Google is Big Brother." Both statements capture an element of reality, but with an extremely alarmist bent.
With your claim, why not make your e-mail public? If you're not worried about Google -- who is already in bed with the NSA -- and you're not worried about LinkedIn -- who is proposing to proxy ALL your e-mails -- then just setup a script to auto-dump every single e-mail you get to GitHub.
Win Win! You get to act like privacy isn't a real threat, and you validate your point!
But please, don't assume that LinkedIn is universally not trusted, the same way you assume that Microsoft is universally hated.
This is a neat feature, and I'm sure that many people trust LinkedIn enough to think that the trade-off is worth it. Would you prefer to not have the choice to have access to this feature, and prevent others from having it too?
I don't see this kind of reaction when 99% of other services ask access to a third-party API. Why is this so different? Is it because they have access to emails? What makes email SO MUCH more important than any other data to be in a category of their own? I don't think you can draw a line, and it's pure subjectivity.
Surely, the service itself is not a problem. Google would do the same thing, and you would all think it's the best thing since sliced bread? Why? Because most people already trust Google with their emails (and everything else), and accept that they know everything about them.
So please, don't criticize the solution, don't blame the hack (unless you can suggest a better way to do it). The only good reason not to use it is for lack of trust for LinkedIn, and nothing else.
I've had enough of your drama-seeking behaviors, and I don't think I'm the only one. Grow up.
Apart from actually giving them the power to slip-stream their content into your messages, how is this different (access-wise) to what people have granted to the email-management app Mailbox? Seems like in both cases, you're handing control of your inbox content over to an additional 3rd party unnecessarily.
Proxy to return a header in your email. CSS to render the content upon click. IFrame to update content so it doesn't get cached.
Cute web hacks. I don't understand the problem with simply using their mobile app if you were really looking for work.
It sounds like an unnecessary feature for people who are looking and an annoyance to people who are not. That seems to be the problem of Linked In. They harass those who are working with vague and misplaced job requests in an attempt to expand their reach.
I don't think it is designed for people "looking for work". It seems to be built for business development. For example, an email like: "Hey, we met at a conference last month, just wanted to follow up..." - now you can see who they are, where they work, a profile picture to jog your memory and quickly connect - all from your email client. Very similar to what Rapportive did for Gmail.
[+] [-] zaroth|12 years ago|reply
At first I'm thinking, oh, I wonder how they convinced Apple to let them use some private APIs, and then... curiosity turns to revulsion as soon as I saw that proxy diagram. Good god... LinkedIn MITM IMAP. That is truly terrifying.
How would you even go about installing that on the user's phone? Oh, that's in there too... they ship a 'configuration profile' which adds a new email account, so your password is leaving the device in cleartext and being used to create the profile server-side which is then shipped back to the phone and installed, how exactly?
This just gets worse and worse if I understand correctly... I'm surprised that configuration profiles can be shipped to an arbitrary device from a third party this way without the user manually installing LinkedIn's certificate as trusted. In other words, it should be a lot harder to "Accept" these profiles outside an enterprise setting, because it sounds exploitable. What else can you configure "so easily" I wonder?
Then you get into how they are hacking CSS and iframes into the email body, to substitute for Javascript, and actually create a workable user interface. Now this is fascinating, impressive, and deserves further study... Without fully understanding exactly what they are doing, however, it sounds highly abusive of the Mail app's rendering capabilities, and points to exploitable paths within the Mail app that probably need to be tightened up by Apple. If LinkedIn can make an email "act" like that without any opt-in on my part, how would Mallory use the same "feature" in their latest SPAM campaign?
<s>Thanks LinkedIn... really, I'm impressed. When exactly did Walter Bishop start working for you?</s>
P.S. I look forward to following your pending class-action lawsuit for violation of US federal wiretapping laws. Cheers!
[+] [-] duhprey|12 years ago|reply
And I thought, why the heck would one phone be issuing so many concurrent IMAP connections. Oh my naiveté.
[+] [-] cpg|12 years ago|reply
I already know that Yahoo! sells the email addresses of the people I exchange even one email with to LinkedIn and I am repulsed by this. LI then turns around and offers them as connections. I should note I am always logged out from LI to prevent even more evil from them. LI is just evil and should be eradicated.
[+] [-] thefreeman|12 years ago|reply
[+] [-] Kiro|12 years ago|reply
[+] [-] ivix|12 years ago|reply
[+] [-] samstave|12 years ago|reply
[+] [-] olegp|12 years ago|reply
Do people find the technical details interesting despite the privacy concerns?
Either way, congrats to Martin, Sam and others on the launch. Getting something out the door to such a wide audience after working on it for over a year must be quite a challenge.
[+] [-] stigi|12 years ago|reply
Next thing: store your S/Mime private keys on linked in servers to enable the feature also for encrypted mails...
I think LinkedIn should not offer every feature that's technically possible. Things should stay within reason, and some things should not be offered, especially not to non-savvy users.
[+] [-] joshdance|12 years ago|reply
The user has to install the profile as trusted. There is no mechanism for auto installing a profile. Similar to TestFlight and the profile you install to use that.
[+] [-] songgao|12 years ago|reply
p.s. Why Walter Bishop?
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] nostromo|12 years ago|reply
The value for LinkedIn to vacuum up my email is immense! They'll know everyone I email and the content of the emails as well. They'll know where I shop and what I purchase. If I send a private email to a friend who has this installed, I've now unknowingly bcc'ed LinkedIn. Not only that, but they know this for the entire history of my email account! The person I stopped emailing 7 years ago... LinkedIn has access to that as well.
But in this case I don't think the value prop for the user is big enough to make me overcome this large of an ask.
I appreciate LinkedIn addressing this in their Privacy Pledge, but so long as they retain the right to change it at any time, I'm too uncomfortable to install this. But, I'm still in awe of the creative work-around. :)
[+] [-] vdaniuk|12 years ago|reply
Maybe one such comment / thread would be enough to significantly increase quality of a discussion.
[+] [-] dclowd9901|12 years ago|reply
[+] [-] tptacek|12 years ago|reply
[+] [-] pallandt|12 years ago|reply
A closely related example would be of a web app I stumbled upon recently via an unexpected email I received in my LinkedIn inbox about a new educational platform that supposedly one of my contacts was recommending me to try. Curious and suspicious, I opened the link and clicked on 'connect with LinkedIn'. In small script, the app was requiring me to authorize it to send emails on my behalf, which is exactly the case of the original unsolicited message I had received: another unsuspecting user just glossed over the terms and connected their LinkedIn account to this app....resulting in all of their contacts being spammed with the message. The 'victim' was displeased to say the least when I warned them what their account was doing without their knowledge.
Had I not been careful about that and proceeded to authorize the app, I would've most likely been booted off at least a few people's contact lists for spamming them with such stuff irrelevant to their interests.
[+] [-] chimeracoder|12 years ago|reply
[+] [-] jamra|12 years ago|reply
[+] [-] slg|12 years ago|reply
[+] [-] poxrud|12 years ago|reply
Will customers be explicitly told that all of their emails will be going through and stored on LinkedIn servers? I doubt it. I do envision a dialog box along the lines of "Click Here to make your experience better". Sadly people will click without realizing the implications.
[+] [-] baddox|12 years ago|reply
[+] [-] MPetitt|12 years ago|reply
[+] [-] aeberbach|12 years ago|reply
What I hope is going to prove truly impossible is doing anything like this without requiring the user to explicitly accept the configuration profile. Even so I expect they will trick many into allowing "enhancement" of their email.
LinkedIn has a history of abusing email. From the early days* where they would email all of the contacts on your machine if you didn't read carefully enough to today where you can click unsubscribe many, many times and still get "important updates". It's a wretched hive of scum and recruiters, and they will never get between me and my email.
*spoke too soon! looks like they still do it: http://community.linkedin.com/questions/10106/i-want-linkedi...
[+] [-] j_s|12 years ago|reply
• LinkedIn: The Creepiest Social Network (May 9; 326 points) https://news.ycombinator.com/item?id=5680680
• Why I Just Closed My LinkedIn Account (Jun 18; 137 points) https://news.ycombinator.com/item?id=5900120
• LinkedIn sued by users who say it hacked their e-mail accounts (Sep 22; 204 points) https://news.ycombinator.com/item?id=6425444
• Today I Deleted My LinkedIn Account; You Probably Should Too (Sep 24; 143 points) https://news.ycombinator.com/item?id=6433828
[+] [-] j_s|12 years ago|reply
http://exchangeserverpro.com/blocking-linkedin-access-to-you...
technical details: http://www.adamfowlerit.com/2013/06/02/linkedin-securityinfo...[+] [-] EvanAnderson|12 years ago|reply
[+] [-] carbocation|12 years ago|reply
I think the privacy concerns of having your mail (potentially) available over yet another server in exchange for modest convenience makes it unlikely that I would use this, but I'm sure many will find the trade-off acceptable and desirable.
[+] [-] jwr|12 years ago|reply
* your local mail client might get different E-mail content every time mail is downloaded, which is not the intent of IMAP,
* LinkedIn (hence, the NSA) gets full access to your E-mail,
* once people get hooked it's easy to transition to inserting ads, or "more helpful LinkedIn content",
I find all this rather disturbing and would never use this service.
[+] [-] throwaway2048|12 years ago|reply
This is making a big assumption that they understand the implications. Or that LinkedIn explains them at all.
[+] [-] mpclark|12 years ago|reply
[+] [-] confluence|12 years ago|reply
This is probably the most blatant disregard for privacy and security for the smallest possible benefit that I have ever seen. Well, next to giving LinkedIn the password to your email so that they can spam your friends and hack your account.
Everyone needs to stop using this piece of shit service. They're incompetent and malicious. LinkedIn is the Zynga of HR. I'm gonna go buy some puts.
Disgusting.
[+] [-] anaphor|12 years ago|reply
[+] [-] gabrielr|12 years ago|reply
[1]: http://blogs.msdn.com/b/oldnewthing/archive/2005/06/07/42629...
[+] [-] k3n|12 years ago|reply
[+] [-] mcphilip|12 years ago|reply
I have never joined LinkedIn and have never been interested in any position that requires an easily gamed LinkedIn profile instead of meatspace references.
[+] [-] staunch|12 years ago|reply
[+] [-] mlinsey|12 years ago|reply
Sure, if you do it for your corporate email, you may be violating the rules of your employer, but that's between you and your employer, and not enough reason to keep others from using an amazingly useful service for their own personal email.
Lost in all this discussion is just how awesome Rapportive is - the desktop gmail version has concretely and significantly changed my life for the better, and that's not hyperbole. Being able to research people without leaving my inbox has saved hours of time in my life, made my communications with those people more effective, and prevented me from making at least a couple serious errors.
All that is worth the added risk, especially for my personal email. Curious: does everyone in this thread have equal outrage for those widgets that log into your email clients so that you can invite your friends?
[+] [-] x0054|12 years ago|reply
It's a cool hack, however.
[+] [-] benhamner|12 years ago|reply
Over 500 million people trust Google with complete and indefinite access to their email. The leap from trusting no external email providers to trusting Gmail is much greater than this incremental step of trusting LinkedIn as well. The risk is similar to trusting an established company to automatically backup your emails, and smaller than trusting startups like Greplin (which rebranded and got acquired) to safeguard a dump of all your emails.
This is not to say the privacy and uptime risks are non-existent: the attack surface area is marginally increased and there is another system that could break.
Claiming LinkedIn's doing a "MITM attack on your email" is on the same level as saying "Google is Big Brother." Both statements capture an element of reality, but with an extremely alarmist bent.
[+] [-] austinheap|12 years ago|reply
Win Win! You get to act like privacy isn't a real threat, and you validate your point!
[+] [-] miguelrochefort|12 years ago|reply
If you don't trust LinkedIn, fine. Don't use it.
But please, don't assume that LinkedIn is universally not trusted, the same way you assume that Microsoft is universally hated.
This is a neat feature, and I'm sure that many people trust LinkedIn enough to think that the trade-off is worth it. Would you prefer to not have the choice to have access to this feature, and prevent others from having it too?
I don't see this kind of reaction when 99% of other services ask access to a third-party API. Why is this so different? Is it because they have access to emails? What makes email SO MUCH more important than any other data to be in a category of their own? I don't think you can draw a line, and it's pure subjectivity.
Surely, the service itself is not a problem. Google would do the same thing, and you would all think it's the best thing since sliced bread? Why? Because most people already trust Google with their emails (and everything else), and accept that they know everything about them.
So please, don't criticize the solution, don't blame the hack (unless you can suggest a better way to do it). The only good reason not to use it is for lack of trust for LinkedIn, and nothing else.
I've had enough of your drama-seeking behaviors, and I don't think I'm the only one. Grow up.
[+] [-] uptown|12 years ago|reply
[+] [-] 0x0|12 years ago|reply
[+] [-] cag_ii|12 years ago|reply
[+] [-] nwh|12 years ago|reply
[+] [-] madoublet|12 years ago|reply
[+] [-] jamra|12 years ago|reply
Cute web hacks. I don't understand the problem with simply using their mobile app if you were really looking for work.
It sounds like an unnecessary feature for people who are looking and an annoyance to people who are not. That seems to be the problem of Linked In. They harass those who are working with vague and misplaced job requests in an attempt to expand their reach.
I also hate iFrames. Cool trick though.
[+] [-] bjacobso|12 years ago|reply
[+] [-] flomo|12 years ago|reply