LinkedIn confirms calendar flaw (includes raw findings)

As LinkedIn confirmed reports it is investigating a data breach, it also acknowledged a flaw researchers discovered in its calendar program. Here are the basic details, followed by the raw report researchers Yair Amit and Adi Sharabani sent me.

The basics come from a news report from my colleague over at the IDG News Service, Lucian Constantin:

LinkedIn has confirmed researcher claims that the calendar integration feature in its mobile apps sends complete details about people's upcoming meetings back to the company's servers, and it has updated the apps to limit what's being collected. Back in April, LinkedIn added an opt-in feature to its iOS and Android apps that uses calendar event details to identify the LinkedIn profiles of individuals with whom users of the apps are scheduled to meet.

Researchers from security vendor Skycure Security have analyzed how this feature works and found that LinkedIn's iOS app doesn't only inspect calendar meeting details locally on the device, but actually sends the information back to LinkedIn's servers. This poses a serious privacy risk because some of the collected information can be highly sensitive. For example, calendar meeting notes tend to include conference call numbers and passcodes, Skycure co-founder and CEO Yair Amit said.

The researchers initially contacted me about this a few days ago, and yesterday I obtained a full .pdf of their report. What follows is that report in full:

LinkedOut - A LinkedIn Privacy Issue

Researched and found by: Yair Amit and Adi Sharabani

I would like to share with you the details of a privacy issue Adi Sharabani and I have recently discovered in LinkedIn’s iOS application, as part of our ongoing mobile security research here at Skycure. Adi is going to present the discovery later on today, at the Yuval Ne'eman workshop annual international conference about cyber security; you are welcomed to attend, it should be a great presentation. :)

LinkedIn’s mobile application has an interesting feature that allows users to view their iOS calendars within the app. However, it turns out that LinkedIn have decided to send detailed calendar entries of users to their servers. The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes. If you have decided to opt-in to this calendar feature in iPhone, LinkedIn will automatically receive your calendar entries and will continue doing so everytime you open your LinkedIn app.

What is the problem exactly?

LinkedIn’s app collects full meeting details from one’s iOS calendar, which contains sensitive information such as meeting notes. While accessing this information locally by the app is not a problem by itself, this information is collected and transmitted to LinkedIn’s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines (section 17.1: “Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used”). The biggest problematic factor lies in the fact that most of the transmitted information is not required for the app’s functionality, as described later on.

What information is being collected and sent to LinkedIn’s servers?

Every time you launch LinkedIn’s app for iPhone, it automatically sends out all of your calendar entries for a five-days time frame. The meetings information is being collected from all the calendars on the iOS machine, thus possibly exposing information from both personal and corporate calendar accounts. Calendar meeting that are being sent out contain: meeting title, organizer and attendees, location, time and meeting notes. It should be noted that the names and email addresses of the meeting organizer and attendees are collected even for those who do not have a LinkedIn account.

As an example, creating an “Internal financial results” meeting in your private calendar leads to data leakage to LinkedIn during your normal usage of the LinkedIn app. Below you can find the actual leaked data, which was acquired by analyzing the traffic the app generates.

Is the collected information needed for LinkedIn’s functionality?

Not that we are aware of. In order to implement their acclaimed feature of synchronizing between the people you meet and their LinkedIn profile, all LinkedIn need is unique identifiers of the people you are going to meet with, not all the details of your planned meetings; details such as meeting schedule, location, title or notes, which tend to be sensitive in particular for organizations, are irrelevant for this task.

What should LinkedIn do?

In order to achieve its desired functionality, the LinkedIn app should refrain from sending full meeting details to their servers. Instead, the app should communicate to LinkedIn’s servers only a small relevant subset such as the attendees of the meeting. In a matter of fact, the users’ privacy can be further improved by sending-over hashed versions of the contacts data instead of the raw contacts data, thus preserving a better privacy model.

In addition, we believe the app should clearly communicate to its users the kind of information it sends back to LinkedIn’s servers.

We have communicated the aforementioned to LinkedIn, and understand it is being examined by their Risk and Privacy Operations team. However, at the time of writing this post, the issue is still not fixed.

What should Apple do?

On a more strategic level, there may be additional mobile applications that extract sensitive calendar details and then transmit them out of the device. At the moment, such applications may be able to do so without a clear indication to the user, thus possibly violating Apple’s privacy guidelines. Therefore, we believe Apple could improve their screening process by leveraging static analysis technologies to detect such violations and better enforce its privacy policy on submitted applications.

Have LinkedIn used the acquired information in a bad way? Did LinkedIn have bad intentions?

To the best of our knowledge and based on LinkedIn’s good reputation and leadership in the market, we do not believe it utilized the collected information in a malicious way. However, we are concerned by the fact it collects and sends-out sensitive information about its users, without a clear indication and consent.

How can I verify I’m not affected by this privacy leak?

The following instructions cover the actions that need to be done to verify your calendar(s) information is not being transmitted to LinkedIn’s servers. These instructions apply for the most updated iPhone LinkedIn version. Similar actions can be applied for the iPad version of the app.

1. Click on the LinkedIn icon in the upper left part of the screen

2. Click on the “You” view

3. Click on the settings icon in the upper right part of the screen

4. Click on the “Add Calendar” option in the Settings page

5. Toggle off the “Add Your Calendar” option

Copyright © 2012 IDG Communications, Inc.

21 best free security tools to make your job easier