LinkedIn Transmits Personal Data in Plain Text (Update: And Leaks Passwords, Too!)S

The Next Web is reporting that LinkedIn's iOS app collects personal data from its calendar—without explicit consent—and sends it back to the company's servers in plain text.

Users must opt-in to a feature which allows them to view calendar information from within the LinedIn app, but once that choice is made the user is not notified of the fact that their personal data—including a meeting's title, organizer, attendees, meeting times and notes—are being transmitted across the internet as plain text. Fortunately that means that if you haven't chosen to use the feature, your data is completely secure.

The issue was identified by Skycure Security researchers Yair Amit and Adi Sharabani, who will be presenting the discovery at the Yuval Ne'eman workshop in Tel Aviv later today. It raises some questions about whether LinkedIn's app abides by Apple's privacy guidelines.

According to LinkedIn spokeswoman Julie Inouye speaking to the New York Times, the data is used to coordinate information across multiple users:

"We use information from the meeting data to match LinkedIn profile information about who you're meeting with so you have more information about that person."

However, it remains unclear why LinkedIn needs so much data. To accomplish the outcome which Inouye describes, the company should only need a user's unique identifier to feed each attendee the correct information. It currently remains uncertain what LinedIn or Apple intend to do about the problem.

Update: The Next Web is now reporting that it's just not LinkedIn's day. Apparently a large number of its user accounts have now been compromised, with 6.5 million hashed and encrypted passwords reportedly leaked. You should change your password, and quick.

[The Next Web, New York Times]

Image by nan palmero under Creative Commons license