There’s trouble in paradise once again for many iOS users. Following an incident earlier this year in which iOS app Path was found to insecurely upload users’ address books without permission, the LinkedIn iOS app has been found to be guilty of a similar breach of personal data.
The Verge reports on the concerning findings:
Researchers from Skycure Security have discovered that LinkedIn’s iOS app has been gathering users’ calendar data and transmitting it back to the social network’s servers. As The Next Web reports, the company’s app for iPhone and iPad has been collecting and dispersing these data without user permission, though this only occurs when a user opts-in to LinkedIn’s calendar sync feature.
My first reaction to this was: “So what if an opt-in feature uploads your calendar. You opted in!” In truth, however, the issue is much deeper than that. Many users aren’t aware that their details are being stored on LinkedIn’s private servers – and the details often include names and emails as well as calendar events. Even worse, the data is being uploaded insecurely in plain test, making it an easy target for hackers.
Unfortunately, it gets even worse. What happens when you paint a big target on user data? Someone takes advantage, of course – and that’s exactly what happened. TheNextWeb shares the details:
Mashable reports, a Russian hacker claims he successfully stole data from LinkedIn, and has uploaded 6.5 million passwords from the site as proof. The passwords aren’t linked to usernames, but Finnish security company Cert-Fi says that it’s likely the hacker has access to the usernames as well.
6.5 million passwords stolen right out from under LinkedIn’s nose. LinkedIn has responded by claiming that even though the passwords are sent in plain text, they are sent over a secured SSL connection. Unfortunately, that clearly wasn’t enough. LinkedIn is investigating the possible password leak.
Needless to say, this is bad. Users of LinkedIn’s iOS app would be wise to change their passwords immediately, as well as any other login that used the same password as LinkedIn. Users can also disable the upload of calendar data within LinkedIn’s settings by tapping the settings icon, tapping “add calendar”, and setting the toggle to the off position.
We’ll keep you posted on significant updates regarding the incident as soon as it becomes available to us.
Update: LinkedIn has released a statement confirming that user accounts were indeed compromised this morning:
We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
How is the password upload connected to the iOS app fail? Or are they merely coincidental events showing that LinkedIn is not doing very well about security?
Coincidental. Just happened to happen concurrently.