Editorial

The war between security and convenience

News

iOS diagnostic services, their uses and protections, outline by Apple in response to 'backdoor' allegations

Editorial

Apple: No backdoors created for NSA

News

Apple reaffirms commitment to protecting privacy everywhere, including China

News

Apple blocking older versions of Flash after yet another security exploit

LinkedIn Contacts relaunches as Connected, aims to keep you more in the loop

News

UK government set to rush through emergency surveillance legislation

News

UK officials follow US counterparts by banning electronics with no charge from boarding flights

Accessories

Apple's security lock adapter will chain your Mac Pro to your desk

iOS

Location permissions in iOS 8: Explained

Not only is Yo stupid, it's now also a security risk

LinkedIn's Job Search for iPhone aims to find you a job from your iPhone

News

Apple confirms iCloud breach not the reason behind Apple ID hijack

iPhone

Bizarre Australian iPhone, iPad hijack serves as yet another reminder to use unique passwords

Editorial

Using strong passwords and keeping your online self secure

News

New cases promise to protect your iPhone from hackers...somehow

News

Apple awarded top marks for protecting user data from prying governments

News

First smartphone 'kill switch' bill in the US passed by… Minnesota

Editorial

iOS 8 wants: Privacy Sheets to make permissions manageable

News

Bitly alerts users of widespread account compromises, claims no accounts have been accessed

LinkedIn plugs security and privacy breaches: What you need to know

LinkedIn scrambles to plug security and privacy breaches

LinkedIn has had a rough week, not only were they caught transmitting sensitive calendar data in plain text to their servers from their iOS app, but a recent security breach has also left more than a few passwords exposed.

The optional calendar feature in the iOS app aims to match up attendees with their LinkedIn profiles. The problem is that to do so, the app transmits sensitive contact, time, place, and dial-in meeting details without any kind of hashing (although it is sent over SSL encryption). The worst part is that the guys who found the privacy breach say LinkedIn doesn't even need to do things this way in order to retain calendar sync functionality. LinkedIn has been fairly unapologetic about their implementation of the feature, claiming that unlike Path they don't store any of the meeting information on their servers. Still, they released an update yesterday that removed the transmission of meeting notes of calendar events.

As for the passwords, LinkedIn hasn't offered much information as to how or where the breach occurred, but they've automatically reset the password of affected users. LinkedIn has also pledged to add some extra security measures, such as hashing and salting their current password databases.

Considering their membership is predominantly business professionals, this security hooplah is definitely embarrassing and could cost LinkedIn some hard-to-regain credibility. It's unfortunate that Apple didn't catch LinkedIn's calendar gap through the App Store approval process, but the SSL tunnel might have hidden the lack of salting in SHA-1.

That said, how comfortable are you with the idea that other apps on your iPhone or iPad might be sending your data off somewhere in plain text after you've given them permission to access your calendar? What about contacts? Does iOS need a more granular permissions system? How would you feel if your friends were unwittingly sending off personal information about you to a server from their iPhone without your permission?

(Rene and the folks from Tech News Today discussed this on a podcast yesterday, check it out for more.)

Source: LinkedIn, Skycure, TNW

Simon Sage

Editor-at-very-large at Mobile Nations, gamer, giant.

More Posts

 

3
loading...
0
loading...
52
loading...
0
loading...

← Previously

Automagically refresh your articles as you change locations with Instapaper update

Next up →

iPhone & iPad Live 297: WWDC Preview and App Store speculation

There are 7 comments. Add yours.

Toloy2k says:

Hi
This isn't the only breaches from what I can see. I set up an email address to join LinkedIn for networking, I have only used this email address once and that was to sign up for LinkedIn, within an hour of this my inbox is full of spam emails from porn sites to fake banks, they are imitating the email address I created.
I tested this again with another email address and again flooded with spam emails.
Some might say this may be my email ISP etc but I don't get spam into my day to day email address which is sat on the same servers.

Dan says:

This has also happened at my business when the higher ups us evite to setup an event.
Privacy is such a main concern of mine, I simply stay the hell off sites like Linkedin, Facebook, etc.

Icebox says:

Where did you set up the address? Spammers constantly bombard the free email services.

Déja Vu says:

"It's unfortunate that Apple didn't catch LinkedIn's calendar gap through the App Store approval process"
Sounds like a broken record to me. Apple, PLEASE invest in secutiry! PLEASE!!!

Wattie says:

As soon as I realised they can not secure passwords was enough fo me... Account Closed

iririr says:

Another reason why I am still using a BB

Terese says:

Hi, i think that i saw you visited my blog so i came to “return the
favor”.I am attempting to find things to improve my site!
I suppose its ok to use a few of your ideas!!
My web page: adverse remortgage