Hacker News new | ask | show | jobs
by jwcrux 4619 days ago
Sorry - I tried to keep the post to a reasonable length. I'll be following up with a more detailed post later. :)

The separate IMAP account is likely so that they wouldn't ever touch the user's Gmail credentials. This way, they do everything via the OAuth token they retrieve. Also, I'm not sure if they can know for sure that the user has synced their Gmail account to their iPhone or not.

I don't know how Linkedin thought this was a good idea. This is clearly one of those cases where the functionality benefits are greatly outweighed by the security risks. This shouldn't have been made.

Thanks for reading!
1 comments
colinsidoti 4619 days ago
I don't know the details of IMAP well enough, but isn't the proxy what allows them to inject HTML into the email that iPhone's Mail app sees, but not any other client?
link
jwcrux 4619 days ago
Yes - they need to perform what's called a Man in the Middle Attack (MiTM) to inject HTML into your email.

Normally, your iPhone (and other clients) retrieve email from Gmail's servers using the IMAP protocol. To inject content, Linkedin setup a security profile which placed themselves in the middle so you connect via IMAP to their servers, they fetch the content using IMAP from Google, inject their content, and feed it back to you.

This is why the email is not permanently changed. Only changed en route to your iPhone.

link