Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Back for a limited time - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×

Submission + - LinkedIn Defends Intro App, But Researcher Uses it for Phishing

Trailrunner7 writes: LinkedIn stood up for its new Intro app for iOS by providing some high-level transparency into how it handles communication between devices and its network, and took time to call initial criticism of the app inaccurate and speculative.

In the meantime, one security researcher posted details online of how he was able to spoof the profile information LinkedIn drops into the iOS Mail app and the relative ease with which this facilitates a phishing attack.

None of that, however, deterred security researcher Jordan Wright, a security engineer at CoNetrix, from managing to spoof Intro profile information inserted into a Mail client message.

Wright posted some details on his blog. He started by intercepting the security profile sent to an Apple device that installs the new email account acting as a proxy that sits between LinkedIn’s IMAP and SMTP servers. From the profile, he was able to recover the username and password used to log into LinkedIn’s services. Using that information, he was able to see the content LinkedIn’s IMAP proxy injects into an email and ultimately hide the existing Intro data in favor of spoofed data he injected into the message.
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

LinkedIn Defends Intro App, But Researcher Uses it for Phishing

Comments Filter:

Quark! Quark! Beware the quantum duck!