LinkedIn iOS App Transmitting Unsecured iCal Information To Servers
It is not a good day to be LinkedIn, first I reported that the company may have been hacked to the tune of 6.5 million account passwords and now Skycure Security experts Yair Amit and Adi Sharabani have found a potential security threat on the LinkedIn iOS app.
According to the security experts an opt-in feature is gathering and sending information back to LinkedIn whenever users access their calendar application. The insecurity becomes a larger problem when we realize the data is transferred in plain text format. Users with confidential meetings and other stored information could find their details in the wrong hand if the unsecured data transfer is exploited.
By accessing iOS calendars from within the application LinkedIn users are able to better plan and schedule meeting times, however the app does not tell users it will collect and transfer that information to LinkedIn servers which in turn could result in a breach of Apple’s own privacy guidelines.
The security firm also found that the amount of information being passed along to LinkedIn servers is much higher than what is required by the app. According to the security firms blog the app uses “unique identifiers for individuals at the meeting and not information such as locations, titles, notes, and other potentially sensitive corporate details.”
With no encryption or obfuscation being used those identifiers can easily be picked up by hackers.
On its official company blog LinkedIn says in an update that they do not store calendar information on their servers, and that they don’t use the data for any purpose “other than that of matching it with relevant LinkedIn profiles.”
Regardless of LinkedIn’s storage of that information it is still being transmitted in plain text format, an issue the company did not immediately address.
This is not the first security issue LinkedIn has been faced with today, the company is rumored to have lost 6.5 million user passwords to a hacker. According to reports LinkedIn passwords were stored using SHA-1 cryptographic hash functions which are found in SSL and TLS security protocols. While actual passwords were being stored as unsalted hashes which makes them easier to decipher using pre-computed rainbow tables.