Hacker News new | ask | show | jobs
by cmccabe 4617 days ago
Based on everything I've read, LinkedIn didn't develop this technology. They bought it when they acquired Rapportive (which, by the way, was a Y Combinator startup).

Can someone explain the technical details here a little more? I feel like a few steps are missing in the explanation. Why does Rapportive/Intro need a separate IMAP account attached to the device? How could LinkedIn ever think email could be secure? Email is a plain-text protocol based on trust. Can't people just spoof source addresses and inject whatever they want into the next email server in the chain?
4 comments
hdevalence 4616 days ago
> Why does Rapportive/Intro need a separate IMAP account attached to the device?

Because LinkedIn is literally MITM attacking all of your mail, to add a little CSS bar with contact info.

This also means that they can collect information about all the patterns of all your email habits and sell it to third parties.

link
jwcrux 4616 days ago
Sorry - I tried to keep the post to a reasonable length. I'll be following up with a more detailed post later. :)

The separate IMAP account is likely so that they wouldn't ever touch the user's Gmail credentials. This way, they do everything via the OAuth token they retrieve. Also, I'm not sure if they can know for sure that the user has synced their Gmail account to their iPhone or not.

I don't know how Linkedin thought this was a good idea. This is clearly one of those cases where the functionality benefits are greatly outweighed by the security risks. This shouldn't have been made.

Thanks for reading!

link
colinsidoti 4616 days ago
I don't know the details of IMAP well enough, but isn't the proxy what allows them to inject HTML into the email that iPhone's Mail app sees, but not any other client?
link
jwcrux 4616 days ago
Yes - they need to perform what's called a Man in the Middle Attack (MiTM) to inject HTML into your email.

Normally, your iPhone (and other clients) retrieve email from Gmail's servers using the IMAP protocol. To inject content, Linkedin setup a security profile which placed themselves in the middle so you connect via IMAP to their servers, they fetch the content using IMAP from Google, inject their content, and feed it back to you.

This is why the email is not permanently changed. Only changed en route to your iPhone.

link
wellboy 4616 days ago
Well if Rapportive was acquired by Linkedin, Linkedin will have had a big influence on this project.
link
joekrill 4616 days ago
They blogged all about it: http://engineering.linkedin.com/mobile/linkedin-intro-doing-...
link