Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is essentially a mitm attack. I am amazed that a company the size of LinkedIn would think that this is in any way appropriate. These are the tricks of spammers and cyber criminals. This is what LinkedIn has become.

Will customers be explicitly told that all of their emails will be going through and stored on LinkedIn servers? I doubt it. I do envision a dialog box along the lines of "Click Here to make your experience better". Sadly people will click without realizing the implications.



The "attack" part of "man in the middle attack" refers to the fact that it is done secretly and generally with ill intentions. LinkedIn is not being secretive (and we can speculate about their intentions). If everything that's in the middle of something is a man in the middle attack, then that would include your home router.


I work in enterprise information security, and my team agreed upon hearing this news that if this was used on our email system, we would consider it a MITM attack. Whether or not the end user opted in, the corporation did not.

So, in the context of use in environments where your email address is not fully owned by you, attack would be a valid word. Otherwise, I agree that it's a MITM but not an attack.


I appreciate the data point, but I must admit that sounds very unreasonable, unless you're considering the employer as the attacker. Would the same apply if an employee were using a VPN at work?


We do block VPN on our corporate network, yes. A VPN is a tunnel that hides user activity from our monitoring and DLP tools and use of VPN from our network to the outside is against policy. Likewise, sharing your credentials with a third party is against policy.

The attacker is LinkedIn. The employee is the attack vector. LinkedIn is engaging in a phishing attack.


You didn't explicitly answer whether you consider VPN usage to be a man in the middle attack. I understand banning it (as well as this LinkedIn feature) on a corporate network, but not considering either a man in the middle attack.


VPN is a tunnel, not a MITM. It's used to bypass our monitoring and filtering. You're tunneling out of our network into someone else's, which may have more favorable rules.

This is a MITM, because LinkedIn is intercepting and modifying the traffic between the email server and the client machine, traffic which is supposed to only be read by the recipient. A VPN isn't intercepting traffic, it's used to tunnel traffic. LinkedIn is positioning themselves directly between the traffic source and the destination to read and modify the transmission.


Is your corporation going to fire the users who use this? If not, why not? They are aiding and abetting an outside attacker.


No, in the same way we don't fire people for getting viruses on their computer. Without a reason to believe the action was intentionally designed to cause harm to the business, like cstrat said, education is the best way to handle it. It would be hard to prove malicious intent in a case like this. LinkedIn would be attacking us, the user would just be an attack vector. It's akin to getting phished.


I agree, and I think the major email providers should block it. Maybe Google can just cut off their API access and stop using LinkedIn for recruiting. That ought to get their attention.


Given that a lot of users are technically unaware of what they are doing, it would be akin to firing someone for falling for one of those pop ups that offers to do a free virus scan. If you are a pharmaceutical sales rep and you read that LI blog post, you probably think it is perfectly safe...

I would think the responsibility falls back onto IT to educate users - and to block connections from LI to the mail server.


I do think LinkedIn has ill intentions. In my opinion, their intentions are to collect, analyze, and ultimately profit from their user's email data. All under the guise of offering some marginal benefit.


So they're just like Gmail?


If you consider creating, hosting and managing arguably one of the better email platforms a "guise"... "of marginal benefit".


But you do have to take into account the context of what they are doing. Yes on a technical scale it is similar to a mitm attack, and yes in theory they do have access to your email content, but I don't think that by using an interesting trick to add a useful feature should put them in the same category as sleazy hackers secretly trying to steal your credit cards and such.


Does it matter? They are purposefully inserting themselves into a stream of information which they largely have no business being a party to.

If (when?) this proxy service is compromised are they willing to be accountable for any information which leaks? I can't imagine wanting to even take on this risk (maybe I'm too conservative).

Edit: I just want to add - yes, it's interesting. Yes, it's sleazy.


> They are purposefully inserting themselves into a stream of information

to implement a feature that's impossible to do any other way. They have a justification for doing this.


Wasn't linkedin the defendant in a class action lawsuit about them using address books improperly?


There is a saying you may have heard before, "the road to Hell is paved with good intentions." Intent doesn't matter at all, because someone will inevitably figure out a) how, and b) why to take advantage of it for nefarious purposes.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: