Latest news
The LinkedIn mobile app for iOS devices has been discovered sending potentially confidential private and business information to the company servers without the users' knowledge.The fact was discovered by Yair Amit and Adi Sharabani, researchers and founders of Skycure Security, who are set to present their findings during a security workshop at Tel Aviv University today.
The feature that allows that to happen concerns calendar syncing and is opt-in, and collects data from all the calendars (private and corporate) on the iOS device.
"The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes," the researchers point out.
"While accessing this information locally by the app is not a problem by itself, this information is collected and transmitted to LinkedIn’s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines."
The researchers say that to implement its feature of synchronizing between the people one meets and their LinkedIn profile, the company does not actually require that many details to be sent to the servers, but just the unique identifiers of those people. Also, that that information should be sent in encrypted form, and that the users should be clearly informed of this.
When contacted by Nicole Perlroth, LinkedIn's spokeswoman failed to specify just why all the data in question is harvested and sent to the servers, reiterated that the feature is opt-in, and said nothing about whether the company will effect changes to the app that would stop this privacy snafu from happening in the future.
In the meantime, those users who want to stop this from happening to them can toggle off the “Add Your Calendar” option in the Sync Calendar feature of the LinkedIn app.
UPDATE: Joff Redfern, Mobile Product Head at LinkedIn, took to the company blog to point out that they do ask the users' permission before accessing their calendar (as it is an opt-in feature) and that the information is sent over a secure SSL connection to the servers, where it is not stored or shared.
Still, he says that the LinkedIn app for Android has been modified to no longer send data from the meeting notes section of the users' calendar event, and that a new “learn more” link has been added to provide more information about how their calendar data is being used.
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
