TheJoyOfHack

For people who like to make things

The stupidity of this is mind-boggling. Essentially, LinkedIn is asking you to insert a man-in-the-middle IMAP server that parses ALL your email and modifies the body so as to ‘enhance mobile email, giving professionals the information they need to be brilliant with people.’ The following tweet from Justin Miller first brought this to my attention:

The article describes how the ‘IMAP Proxy Service’ would have access to all your email, as well as the password associated with your email address.
So if Alice sends an email to Bob, and Bob has this thing installed, Alice’s emails are being intercepted and parsed by Linked In without her knowing it. Alice does not need a Linked In account to be vulnerable to this. What’s more, those emails that Bob sent and received in the late 1990s (before Linked In was even formed)? Linked in now has access to those emails as well.

It’s funny how proud they are of this, when in reality it’s an awful thing to do. In my experience, the majority of people aren’t (and shouldn’t need to be) technically savvy enough to understand that doing what Linked In suggests puts their privacy at risk not just for one operation, but continuously.

Asking users for their emails and passwords isn’t new: Networks like Facebook, Path — and Linked In, too — ask for email passwords to harvest users’ contacts. But for those types of operations the assumption is that the passwords aren’t saved and credentials are discarded after the collection of contacts’ names and adresses. However, with a proxy email server even as all your present and future emails are being scanned, older emails are also technically at risk of being read. The window of opportunity isn’t momentary it’s as long as you have the IMAP proxy installed.

This isn’t a new risk that Linked In has just exposed us to. This risk has been around since SMTP has been around. You have never been able to control what happens to your email once you hit ‘Send.’

Is the extra information that you get from Linked In worth this egregious invasion of your privacy? In my opinion, no. I think Ian Keith’s analogy is apt: