LinkedIn privacy fail
The LinkedIn mobile app for iOS devices has been discovered sending potentially confidential private and business information to the company servers without the users’ knowledge.
The fact was discovered by Yair Amit and Adi Sharabani, researchers and founders of Skycure Security, who are set to present their findings during a security workshop at Tel Aviv University today.
The feature that allows that to happen concerns calendar syncing and is opt-in, and collects data from all the calendars (private and corporate) on the iOS device.
“The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes,” the researchers point out.
“While accessing this information locally by the app is not a problem by itself, this information is collected and transmitted to LinkedIn’s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines.”
The researchers say that to implement its feature of synchronizing between the people one meets and their LinkedIn profile, the company does not actually require that many details to be sent to the servers, but just the unique identifiers of those people. Also, that that information should be sent in encrypted form, and that the users should be clearly informed of this.
When contacted by Nicole Perlroth, LinkedIn’s spokeswoman failed to specify just why all the data in question is harvested and sent to the servers, reiterated that the feature is opt-in, and said nothing about whether the company will effect changes to the app that would stop this privacy snafu from happening in the future.
In the meantime, those users who want to stop this from happening to them can toggle off the “Add Your Calendar” option in the Sync Calendar feature of the LinkedIn app.
UPDATE: Joff Redfern, Mobile Product Head at LinkedIn, took to the company blog to point out that they do ask the users’ permission before accessing their calendar (as it is an opt-in feature) and that the information is sent over a secure SSL connection to the servers, where it is not stored or shared.
Still, he says that the LinkedIn app for Android has been modified to no longer send data from the meeting notes section of the users’ calendar event, and that a new “learn more” link has been added to provide more information about how their calendar data is being used.