Earlier today I read a blog post by fellow Australian IT pro Adam Fowler. In the post Adam shares his observation that LinkedIn is now asking users for their corporate (ie Outlook) login credentials for adding new connections.
Adam also provides details for how to block LinkedIn’s servers from making the connection to your Exchange org should one of your users actually provide them the login details. The solution is fairly straightforward and worth considering, so please check it out and make up your own mind
I shared my own opinion of the matter earlier today on Twitter as well.
— Exchange Server Pro (@ExchServPro) June 3, 2013
Though most people seemed to agree with me there was some debate about whether this feature of LinkedIn is as bad as I said it was.
On the one hand, it is a convenient way for LinkedIn users to add connections to their account. It is also something that is made technically possible by the way Exchange remote access works, if a company allows access with username/password only (eg without requiring two-factor).
On the other hand, LinkedIn has a history of serious security breaches. Also, it is one thing for a user to make a decision about whether to provide their personal email (eg Gmail) password when adding connections, it is a far more serious matter when the are providing corporate login credentials.
- If LinkedIn was currently breached (without their knowledge) the credentials could be getting stolen each time they are submitted
- Giving your corporate login credentials to a third party like this is a breach of many IT usage policies and can result in employee termination (not a good look when LinkedIn is supposed to help you with your career, not damage it)
- It trains users that giving away their credentials to websites is okay (imagine a spoofed LinkedIn page and a phishing email campaign to trick users into visiting it)
Bottom line, I think this is a terrible thing and LinkedIn should stop it.
If you’re still not convinced, and in particular if you think LinkedIn is trustworthy and this is just harmless access to a user’s personal contacts, here is a screenshot of the “contacts” that LinkedIn found when I entered the login details for one of my test lab users.
LinkedIn suggested I connect with 107 people.
Meanwhile, the mailbox actually only has a small number of contacts in it.
It appears that LinkedIn accesses something other than just the contacts in the mailbox when a person provides them with corporate login credentials.
I ran some tests with two brand new mailboxes, and it seems that LinkedIn accesses both the Contacts and the Sent Items. For a test mailbox with no Contacts or Sent Items at all the LinkedIn page returned an error that it wasn’t able to recognise the webmail URL I had provided. But as soon as I sent just one email, the next attempt returned that email address in the list to invite to connect on LinkedIn.
Is this a bad thing? Absolutely. especially when LinkedIn has trouble telling the difference between a mailbox and a mailing list.
So what does LinkedIn store when you give them your login details?
In the first screenshot of the article you can see I had to provide the email address, username, password, and webmail URL.
On a second test run, I only had to provide username and password.
That email address hasn’t previously been associated with my LinkedIn account, and for a lot of organizations the username for remote access is the same as the email address. So now in a LinkedIn breach the attacker will get my corporate email address, username (if it is the same as the email), and webmail URL. (Update: it was suggested to me that the details might just be stored in a cookie on my computer. So I tried from a different computer, in a different browser, from a different internet connection, and LinkedIn still has the webmail URL and email address already there).
What do you think, should LinkedIn stop offering this feature? Or should it be up to Exchange administrators to block LinkedIn from accessing their servers?
Update 29/6: LinkedIn responded to my questions:
I tested again with a completely new account and found that:
- The behaviour of scraping sent items has not changed
- LinkedIn had retained all previous email addresses it collected from test accounts I used weeks ago, and was including them in the suggested contacts list yet again
- The scraping is indiscriminate, even finding a conference room and an Exchange 2013 health mailbox