LinkedIn Intro: Doing the Impossible on iOS

I don&#x27;t think I&#x27;ve ever gagged quite like that while reading a technical article describing a &quot;neat hack&quot;.<p>At first I&#x27;m thinking, oh, I wonder how they convinced Apple to let them use some private APIs, and then... curiosity turns to revulsion as soon as I saw that proxy diagram. Good god... LinkedIn MITM IMAP. That is truly terrifying.<p>How would you even go about <i>installing</i> that on the user&#x27;s phone? Oh, that&#x27;s in there too... they ship a &#x27;configuration profile&#x27; which adds a new email account, so your password is leaving the device in cleartext and being used to create the profile server-side which is then shipped back to the phone and installed, how exactly?<p>This just gets worse and worse if I understand correctly... I&#x27;m surprised that configuration profiles can be shipped to an arbitrary device from a third party this way without the user manually installing LinkedIn&#x27;s certificate as trusted. In other words, it should be a lot harder to &quot;Accept&quot; these profiles outside an enterprise setting, because it sounds exploitable. What else can you configure &quot;so easily&quot; I wonder?<p>Then you get into how they are hacking CSS and iframes into the email body, to substitute for Javascript, and actually create a workable user interface. Now this is fascinating, impressive, and deserves further study... Without fully understanding exactly what they are doing, however, it sounds highly abusive of the Mail app&#x27;s rendering capabilities, and points to exploitable paths within the Mail app that probably need to be tightened up by Apple. If LinkedIn can make an email &quot;act&quot; like that without any opt-in on my part, how would Mallory use the same &quot;feature&quot; in their latest SPAM campaign?<p>&lt;s&gt;Thanks LinkedIn... really, I&#x27;m impressed. When exactly did Walter Bishop start working for you?&lt;&#x2F;s&gt;<p>P.S. I look forward to following your pending class-action lawsuit for violation of US federal wiretapping laws. Cheers!

This is a truly awesome hack. Good job!<p>The value for LinkedIn to vacuum up my email is immense! They&#x27;ll know everyone I email and the content of the emails as well. They&#x27;ll know where I shop and what I purchase. If I send a private email to a friend who has this installed, I&#x27;ve now unknowingly bcc&#x27;ed LinkedIn. Not only that, but they know this for the entire history of my email account! The person I stopped emailing 7 years ago... LinkedIn has access to that as well.<p>But in this case I don&#x27;t think the value prop for the user is big enough to make me overcome this large of an ask.<p>I appreciate LinkedIn addressing this in their Privacy Pledge, but so long as they retain the right to change it at any time, I&#x27;m too uncomfortable to install this. But, I&#x27;m still in awe of the creative work-around. :)

I don&#x27;t care who the company is, or how trustworthy you think they are: avoid giving third parties credentials to your inbox.

This is essentially a mitm attack. I am amazed that a company the size of LinkedIn would think that this is in any way appropriate. These are the tricks of spammers and cyber criminals. This is what LinkedIn has become.<p>Will customers be explicitly told that all of their emails will be going through and stored on LinkedIn servers? I doubt it. I do envision a dialog box along the lines of &quot;Click Here to make your experience better&quot;. Sadly people will click without realizing the implications.

Misleading title. Nobody did the impossible on iOS, just did clever things within the available frameworks. Well done author, it works. But did you ask yourself &quot;should I really do this?&quot;<p>What I hope is going to prove truly impossible is doing anything like this without requiring the user to explicitly accept the configuration profile. Even so I expect they will trick many into allowing &quot;enhancement&quot; of their email.<p>LinkedIn has a history of abusing email. From the early days* where they would email all of the contacts on your machine if you didn&#x27;t read carefully enough to today where you can click unsubscribe many, many times and still get &quot;important updates&quot;. It&#x27;s a wretched hive of scum and recruiters, and they will never get between me and my email.<p>*spoke too soon! looks like they still do it: <a href="http://community.linkedin.com/questions/10106/i-want-linkedin-to-stop-trying-to-access-my-email.html" rel="nofollow">http:&#x2F;&#x2F;community.linkedin.com&#x2F;questions&#x2F;10106&#x2F;i-want-linkedi...</a>

How (and Why) You Should Block LinkedIn Access to your Exchange Server Organization<p><a href="http://exchangeserverpro.com/blocking-linkedin-access-to-your-exchange-server-organization/" rel="nofollow">http:&#x2F;&#x2F;exchangeserverpro.com&#x2F;blocking-linkedin-access-to-you...</a><p><pre><code> &gt; I ran some tests with two brand new mailboxes, and it seems that LinkedIn &gt; accesses both the Contacts and the Sent Items. </code></pre> technical details: <a href="http://www.adamfowlerit.com/2013/06/02/linkedin-securityinformation-risks-with-exchange/" rel="nofollow">http:&#x2F;&#x2F;www.adamfowlerit.com&#x2F;2013&#x2F;06&#x2F;02&#x2F;linkedin-securityinfo...</a>

Technologically this is straightforward: it uses a proxy server that sits in between you and your actual mailserver.<p>I think the privacy concerns of having your mail (potentially) available over yet another server in exchange for modest convenience makes it unlikely that I would use this, but I&#x27;m sure many will find the trade-off acceptable and desirable.

Surely corporate IT departments are going to have a collective heart attack as employees start handing all their email to a third party?

Holy fucking shit Batman! Assuming I read this correctly LinkedIn will now have access to all of your emails, your email credentials, and will now have the ability to both spoof your email, and MITM all incoming mail (banking etc). I was actually impressed at some of the little hacks they found, until they dropped this on me halfway through the blog. My jaw hit the ground.<p>This is probably the most blatant disregard for privacy and security for the smallest possible benefit that I have ever seen. Well, next to giving LinkedIn the password to your email so that they can spam your friends and hack your account.<p>Everyone needs to stop using this piece of shit service. They&#x27;re incompetent and malicious. LinkedIn is the Zynga of HR. I&#x27;m gonna go buy some puts.<p>Disgusting.

This makes me wonder &quot;What if two programs did this?&quot; [1]<p>[1]: <a href="http://blogs.msdn.com/b/oldnewthing/archive/2005/06/07/426294.aspx" rel="nofollow">http:&#x2F;&#x2F;blogs.msdn.com&#x2F;b&#x2F;oldnewthing&#x2F;archive&#x2F;2005&#x2F;06&#x2F;07&#x2F;42629...</a>

IMO, LinkedIn has a history of enough bad business practices that it should be shunned like a pariah and treated with complete suspicion that they may have ulterior motives in designing this MITM app.<p>I have never joined LinkedIn and have never been interested in any position that requires an easily gamed LinkedIn profile instead of meatspace references.

Not only does it obliterate users&#x27; security but it introduces a potentially unreliable point of failure. Sometimes the hack is worse than the problem it solves. I hope they&#x27;re being extremely upfront with users about how this works, not that most users will really understand the implications...

I don&#x27;t understand why trusting LI with all your email is worse than trusting Google with all your email.<p>Sure, if you do it for your corporate email, you may be violating the rules of your employer, but that&#x27;s between you and your employer, and not enough reason to keep others from using an amazingly useful service for their own personal email.<p>Lost in all this discussion is just how awesome Rapportive is - the desktop gmail version has concretely and significantly changed my life for the better, and that&#x27;s not hyperbole. Being able to research people without leaving my inbox has saved hours of time in my life, made my communications with those people more effective, and prevented me from making at least a couple serious errors.<p>All that is worth the added risk, especially for my personal email. Curious: does everyone in this thread have equal outrage for those widgets that log into your email clients so that you can invite your friends?

So you give up your email credentials to LinkedIn and in exchange you get a little widget that tells you the name of the person who is emailing you, the company they work for, their position in the company, and some contact information? Isn&#x27;t that&#x27;s what the signature line is for? Seriously, don&#x27;t people already setup their signature line to include all that information.<p>It&#x27;s a cool hack, however.

The privacy outrage around this is nonsensical.<p>Over 500 million people trust Google with complete and indefinite access to their email. The leap from trusting no external email providers to trusting Gmail is much greater than this incremental step of trusting LinkedIn as well. The risk is similar to trusting an established company to automatically backup your emails, and smaller than trusting startups like Greplin (which rebranded and got acquired) to safeguard a dump of all your emails.<p>This is not to say the privacy and uptime risks are non-existent: the attack surface area is marginally increased and there is another system that could break.<p>Claiming LinkedIn&#x27;s doing a &quot;MITM attack on your email&quot; is on the same level as saying &quot;Google is Big Brother.&quot; Both statements capture an element of reality, but with an extremely alarmist bent.

To HN commenters:<p>If you don&#x27;t trust LinkedIn, fine. Don&#x27;t use it.<p>But please, don&#x27;t assume that LinkedIn is universally not trusted, the same way you assume that Microsoft is universally hated.<p>This is a neat feature, and I&#x27;m sure that many people trust LinkedIn enough to think that the trade-off is worth it. Would you prefer to not have the choice to have access to this feature, and prevent others from having it too?<p>I don&#x27;t see this kind of reaction when 99% of other services ask access to a third-party API. Why is this so different? Is it because they have access to emails? What makes email SO MUCH more important than any other data to be in a category of their own? I don&#x27;t think you can draw a line, and it&#x27;s pure subjectivity.<p>Surely, the service itself is not a problem. Google would do the same thing, and you would all think it&#x27;s the best thing since sliced bread? Why? Because most people already trust Google with their emails (and everything else), and accept that they know everything about them.<p>So please, don&#x27;t criticize the solution, don&#x27;t blame the hack (unless you can suggest a better way to do it). The only good reason not to use it is for lack of trust for LinkedIn, and nothing else.<p>I&#x27;ve had enough of your drama-seeking behaviors, and I don&#x27;t think I&#x27;m the only one. Grow up.

Apart from actually giving them the power to slip-stream their content into your messages, how is this different (access-wise) to what people have granted to the email-management app Mailbox? Seems like in both cases, you&#x27;re handing control of your inbox content over to an additional 3rd party unnecessarily.

So what happens if you reply to a mail like this? Does the quoted part contain all that linkedin fluff?

Wouldn&#x27;t this essentially allow them access to read&#x2F;analyze&#x2F;archive all of your email for any account you set up?

Proxy to return a header in your email. CSS to render the content upon click. IFrame to update content so it doesn&#x27;t get cached.<p>Cute web hacks. I don&#x27;t understand the problem with simply using their mobile app if you were really looking for work.<p>It sounds like an unnecessary feature for people who are looking and an annoyance to people who are not. That seems to be the problem of Linked In. They harass those who are working with vague and misplaced job requests in an attempt to expand their reach.<p>I also hate iFrames. Cool trick though.

This thread is a great example of filter-bubble thinking.<p>There is a trade-off between security and features here, and while for some people it&#x27;ll be worth it for others it won&#x27;t.<p>The majority of posters here are likely developers&#x2F;technical people for who the features aren&#x27;t that important and for who security is a much higher priority (because they&#x27;re thinking about it from a personal email perspective rather than a professional email perspective).<p>For people working in bizdev, sales, recruitment, etc. their equation is completely different. This delivers them high-value (being able to close more deals faster) with a relatively lower security trade-off.<p>Their professional email account is likely already hooked into their CRM, email analytics, backup service, audit and archiving services, address book services, etc. Their PA and corporate IT likely has access to their email as well. Adding Linkedin is just one more service from a company they already trust with highly confidential information (leads, Linkedin inbox mails, etc.)<p>(incidentally I&#x27;m guessing a lot of HN users probably have half a dozen chrome extensions for SEO, screen grabbing, debugging, etc. from unverified sources which have access to far more information than just your email credentials)

So if you sign up for enhanced email with LinkedIn, <i>all your incoming email goes through their servers</i>?

This is cool. I&#x27;m a little concerned that what they&#x27;ve done expose some security holes in the iPhone mail client. And, all of this work will be for naught when Apples fixes those.<p>(Specifically, iframes in emails have been stripped from most modern email clients for years)

&gt; A little-known fact about CSS on Mobile Safari: in certain circumstances, tapping a link once simulates a :hover state on that link, and tapping it twice has the effect of a click.<p>I have noticed that on websites that clearly don&#x27;t intend that behavior, and it&#x27;s quite annoying. Does anyone have any details about the exact circumstances required for this phenomenon?

Despite the privacy concern everyone is warring about, it is a beautiful integration. Technology is supposed to make life easier, not harder. Since Apple didn&#x27;t open the door, someone else will ended up doing it. I am sure an open source solution with own proxy + LinkedIn api will work as well. That should take away the privacy concern.

Is this a MITM attack wrapped as an App?

I see a lot of people (understandably) getting upset about the MITM aspect of this. But almost as surprising to me was the fact that you can load an iframe in an email with apparently no warning or notification to the user. This seems like its asking for exploitation, even without the ability to run JavaScript.

Even if we disregard the privacy concerns and trust the third party with our inbox, I can&#x27;t help imagining the consequences of a quiet compromise of their proxy service.

For all those calling this a &quot;hack&quot;, it is not. It is simply a &quot;man in the middle&quot; attack. It is wrong. It is a total violation of trust. It is gross.

I&#x27;d be really surprised if Apple will let them use all of these hacks for long... Still great way to get full access to all email from many users.

I am speechless. This is like the Facebook Android &quot;hack&quot; of the VM to support their crappy app wanting to use lots of classes, only this one is less offensive technically and more offensive from the security point of view. WTF.

&quot;an IMAP client may assume that the message will never change&quot;<p>I burst out in laughter at that point. Yeah, that silly presumptuous email client assuming an email is some kind of text message that doesn&#x27;t change every time you read it!

I think it&#x27;s a fairly well implemented hack. One question: does the iPhone mail client load the contents of iframes by default? Don&#x27;t these clients typically not load remote content like images?

I believe this is somewhat a defensive tactics. Let&#x27;s write a sugar-flavored article about how neat their hack is before someone said &quot;wait a minute! WTF?!&quot;.<p>To all those who consider this a cool hack - it&#x27;s not. It&#x27;s ugly as hell. Sometimes you need to do this kind of shit to get the job done, it&#x27;s true, but you know this is kind of thing that you look at after couple of month and think &quot;Oh God, I should get a another job. They shouldn&#x27;t force me to create THIS. Oh God, I feel so miserable.&quot;.

A privacy pledge, how cute! The problem with stuff like this is not knowing the third, fouth, and fifth party uses. Granted most user&#x27;s don&#x27;t read these disclosure and even more don&#x27;t have the technical aspects of how this works. But even if you&#x27;re ok with one big evil company have access to your inbox, allowing two just seems crazy. What happens when LinkedIn think of a cool way to use your emails from five years ago? By cool I of course mean horrifying.

This is a really cool hack but I would never hand over my email creds to someone like LinkedIn after their history with emails. They might decide one day to &quot;help&quot; you by inviting everyone you have emailed or has emailed you or they could start added a &quot;Connect With Josh&quot; link to the bottom of my outgoing emails that links to my LinkedIn.<p>Again, VERY cool how they did it but it requires quite a bit trust in a company that I don&#x27;t find very trustworthy.

<i>When we first built Rapportive for Gmail, people thought that we were crazy — writing a browser extension that modified the Gmail page on the fly, effectively writing an application inside someone else’s application! But it turned out to be a great success, and many others have since followed our footsteps and written browser extensions for Gmail.</i><p>The author is being a bit arrogant, there are more complex stuff that modifying gmail on the fly (remember greasemonkey?).

I&#x27;m with everyone else - give LinkedIn access to the contents of my email? No thanks.

Wow, super clever guys. It looks really compelling as well. We had been wondering what rapportive was up to, and we&#x27;re all very impressed.<p>Well done!

Also from their FAQ:<p>&quot;For technical reasons, you can&#x27;t remove the Intro app icon directly from the iPhone home screen.&quot; <a href="https://intro.linkedin.com/micro/faq" rel="nofollow">https:&#x2F;&#x2F;intro.linkedin.com&#x2F;micro&#x2F;faq</a><p>This is insane. Not only does the whole setup hijack your mail, it is implemented in a way that makes it very hard for users to remove it.

I&#x27;ve been talking to a number of startups whose products hinge on access to a user&#x27;s email inbox. Now here is LinkedIn doing this too. This trend is kind of disturbing to me, I can&#x27;t really imagine a future where most of the services I use require access to all of my personal e-mail. It&#x27;s quite scary.

Not only they can read the emails, but they could even change their content or create some false one as well. Good fun.

Does this mean that for a simple email : <i>See you in 5 minutes</i> or <i>Let&#x27;s go to lunch</i> , ... it would actually download a full Linkedin profile with it ? (Hidden with the CSS, but still downloaded). If so, it seems to be wasteful.<p>All the privacy issues it raises are already discussed.

I often wish there was a good way to do email &quot;apps&quot; like this without giving away the keys to the castle.<p>I&#x27;m just not comfortable giving my email credentials out when access to my email is effectively a skeleton key for the rest of my accounts via password resets.

I&#x27;d be all for this if the proxy were running on the device instead of LinkedIn&#x27;s servers.

As right as everyone is about how insecure this is, it&#x27;s a fun exercise to imagine how different the public response to this would be if it were one person&#x27;s hack project using self-hosted proxy. The hacks employed here are really cool.

Retitle this post as &quot;Major security flaws in iOS&quot; and you&#x27;ve done something brilliant. Intro is malware, plain and simple, but this post has exposed some serious holes in Apple&#x27;s security which will hopefully be fixed ASAP

It&#x27;s wrong wrong wrong on so many levels. It&#x27;s more unthinkable than impossible.

I didn&#x27;t realise Rappotive had been bought by LinedIn. Time to delete it from Gmail.

Privacy issues aside, have we really set the bar this low on what is or isn&#x27;t technically &quot;impossible&quot;? Because if so, that&#x27;s terribly sad and as an industry we should all be ashamed.

This should be extractable by &quot;algorithms&quot; these days: &quot;Our key insight was this: we cannot extend the mail client, but we can add information to the messages themselves&quot;

What a disgusting group of bottom-feeders LinkedIn has become. Question is: if I install this unwittingly and they do something to my email server side later-on (not that they have been accused of other vaguely unethical things) how much are they protected by the EULA?<p>FYI, in the state of NJ, not even your employer has the right to do many things with your work email. They recently decided this. I would love to the impending lawsuit with LinkedIn for similar reasons, but just for advertising.

Looks to me like Apple has some security to tighten up. I definitely don&#x27;t think you should be able to do most of this stuff, but you can&#x27;t really fault LinkedIn I don&#x27;t think. They made something that adds value to their product and it got approved by Apple. Either way, the hacks are cool ones and I&#x27;m glad Linked-in did this write up. Keep &#x27;em coming.<p>EDIT: not an app apparently.

The iPhone Mail app allows embedded CSS right? I mean, why not solve this for all mobile devices by adding the top bar to all emails, marking it display: none; and using media queries to show it if it&#x27;s a mobile resolution?<p>Also, pretty sure the :hover state touch interaction is something anyone who&#x27;s done any kind of mobile web development knows about.

While I can&#x27;t see the security-conscious user liking this, the CSS tricks could be a great tool in the bag of a company that wants to send actionable notifications or newsletters--either the giants like twitter, or SaSS tools like <a href="http://iterable.com/" rel="nofollow">http:&#x2F;&#x2F;iterable.com&#x2F;</a>.

Do I really need a mobile &quot;rapportive&quot; (acquired by linkedin recently) in exchange for ALL my emails? NO :P

Unless LinkedIn open sources it and I host my own copy, there is no way for me to hand all my emails to LinkedIn.

For some weird reason (having dealt with newsletter projects), manipulating the html through the IMAP services was the first thing i could think of.<p>But i wouldn&#x27;t do that, because this way, you can intercept all messages that people are mailing and it would harm your business image (at least, in my eyes).

There is definitely not much value here for risk involved (handing out your credentials to a 3rd party). Although interesting, the hack seems pretty straight forward. I wonder if they had to do something more complex for 2-face authentication enabled accounts (gmail) or that is not supported?

Interesting hack. So since you inject that social info at the time of the email, that means if someone gets a new job, it will still show the old employer info &#x2F; position in the older emails... right? What made you guys do this instead of your own mail app like Mailbox?

Certainly an interesting workaround. I&#x27;m not that familiar with iOS development, so could someone explain what technical reasons there might be for running a remote imap proxy server to do the message modifications rather than a local (on device) one?

There are some really neat technical stuff at linkedin, it&#x27;s just a shame the site is a pile of spamming shit. If they overhauled it and got rid of all the annoying things then it would actually be decent.

This is not their first hacks.<p><a href="http://www.scribd.com/doc/169844985/LinkedIn-Hacking" rel="nofollow">http:&#x2F;&#x2F;www.scribd.com&#x2F;doc&#x2F;169844985&#x2F;LinkedIn-Hacking</a>

I want to see a documentary showing how such a feature was conceived, greenlighted, implemented, and ultimately released without someone pulling the plug.

This is a game changer. Love this idea, and also would love to see other big social networks using the same technology to make our mail more interactive.

Love it - great work.

Not sure why they went through all that hassle for a something that Apple will surely outlaw in a few weeks.<p>Seems like an awful waste of time to me.

I have this Linkedin account. As a German its usefulness approaches zero. Its security problems seem to grow.<p>Looks like it is time to dump Linkedin.

A friend of mine pointed out that it&#x27;s surprising that the iOS mail app supports iframes. Isn&#x27;t that a security issue?

They should have open-sourced their MitM IMAP service and allow to use your own, and then this would have been a cool hack.

I feel sorry for the poor folks who had to engineer this &#x27;product&#x27;. What a sad thing to have on your resume.

Awesome article. I was curious why is it possible to iframe the button but not the whole contact info? Thanks

It&#x27;s a clever hack but &quot;Doing the impossible&quot; is a ridiculous oversell headline.

I didn&#x27;t know proxy servers were part of apple&#x27;s approved apps.

Does anyone know if this works with the Gmail iPhone app as well?

An easy hack for them to collect their users phone numbers too.

Wow, I am amazed.

What a huge, ugly crotch.

I will never use this.

This seems very very very brittle. Some over compensating product asshat managed to convince their code monkeys into building something that will probably break easily not to mention security concerns with giving them your mailbox access.

While this is truly impressive, am I the only one who considers LinkedIn just a place from which recruiters send tons of unwanted spam?

Why would anyone wanna use this? Plus, we&#x27;re talking LinkedIn here!