LinkedOut! LinkedIn is violating your privacy

LinkedIn’s mobile application has an interesting feature that allows users to view their iOS calendars within the app. However, it turns out that LinkedIn have decided to send detailed calendar entries of users to their servers. The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes. If you have decided to opt-in to this calendar feature in iPhone, LinkedIn will automatically receive your calendar entries and will continue doing so every-time you open your LinkedIn app.

What is the problem exactly?
LinkedIn’s app collects full meeting details from one’s iOS calendar, which contains sensitive information such as meeting notes. While accessing this information locally by the app is not a problem by itself, this information is collected and transmitted to LinkedIn’s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines (section 17.1: “Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used”). The biggest problematic factor lies in the fact that most of the transmitted information is not required for the app’s functionality, as described later on.

What information is being collected and sent to LinkedIn’s servers?
Every time you launch LinkedIn’s app for iPhone, it automatically sends out all of your calendar entries for a five-days time frame. The meetings information is being collected from all the calendars on the iOS machine, thus possibly exposing information from both personal and corporate calendar accounts.
Calendar meeting that are being sent out contain: meeting title, organizer and attendees, location, time and meeting notes. It should be noted that the names and email addresses of the meeting organizer and attendees are collected even for those who do not have a LinkedIn account.

As an example, creating a financial results meeting in your private calendar leads to data leakage to LinkedIn during your normal usage of the LinkedIn app. Below you can find the actual leaked data, which was acquired by analyzing the traffic the app generates.

Calendar details traffic leakage

Is the collected information needed for LinkedIn’s functionality?
Not that we are aware of. In order to implement their acclaimed feature of synchronizing between the people you meet and their LinkedIn profile, all LinkedIn need is unique identifiers of the people you are going to meet with, not all the details of your planned meetings; details such as meeting schedule, location, title or notes, which tend to be sensitive in particular for organizations, are irrelevant for this task.

What should LinkedIn do?
In order to achieve its desired functionality, the LinkedIn app should refrain from sending full meeting details to their servers. Instead, the app should communicate to LinkedIn’s servers only a small relevant subset such as the attendees of the meeting. In a matter of fact, the users’ privacy can be further improved by sending-over hashed versions of the contacts data instead of the raw contacts data, thus preserving a better privacy model.
In addition, we believe the app should clearly communicate to its users the kind of information it sends back to LinkedIn’s servers.
We have communicated the aforementioned to LinkedIn, and understand it is being examined by their Risk and Privacy Operations team. However, at the time of writing this post, the issue is still not fixed.

What should Apple do?
On a more strategic level, there may be additional mobile applications that extract sensitive calendar details and then transmit them out of the device. At the moment, such applications may be able to do so without a clear indication to the user, thus possibly violating Apple’s privacy guidelines. Therefore, we believe Apple could improve their screening process by leveraging static analysis technologies to detect such violations and better enforce its privacy policy on submitted applications.

Have LinkedIn used the acquired information in a bad way? Did LinkedIn have bad intentions?
To the best of our knowledge and based on LinkedIn’s good reputation and leadership in the market, we do not believe it utilized the collected information in a malicious way. However, we are concerned by the fact it collects and sends-out sensitive information about its users, without a clear indication and consent.

How can I verify I’m not affected by this privacy leak?


The following instructions cover the actions that need to be done to verify your calendar(s) information is not being transmitted to LinkedIn’s servers. These instructions apply for the most updated iPhone LinkedIn version. Similar actions can be applied for the iPad version of the app.
1. Click on the LinkedIn icon in the upper left part of the screen
2. Click on the “You” view
3. Click on the settings icon in the upper right part of the screen
4. Click on the “Add Calendar” option in the Settings page
5. Toggle off the “Add Your Calendar” option.

Discovered by:
Adi Sharabani and Yair Amit, Skycure

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: