Phishing with Linkedin's Intro

Update 10/28/2013 6:30PM CDT - I have been in contact with Linkedin’s security team and a hotfix has recently been released to address the findings below. This fix applies the styling rules to a randomly generated ID, as opposed to the class based styling seen below. This provides more specificity in applying the rules, making it more difficult to override.

I am no CSS expert so there could very well be tricks to still get around this and remove the content (or even just hide it and overlap it) - email me if you know of one! I will be continuing my work with Linkedin’s security team to iron out any bugs we can find. Users are reminded that no solution is perfect, and that seeing this data in an email in no way definitively proves the senders legitimacy.

I would also like to thank Linkedin’s security team for their quick and effective response to these findings.


On October 23, Linkedin introduced an application called “Intro”. The premise is simple: allow iPhone users to see details about the people they are emailing within the native iPhone Mail App. Think Rapportive for the iPhone Mail App, because that’s essentially what this is (and made by the same people).

However, when reading the initial description of Intro, there was one part that caught my eye:

David says Crosswise would love to work with you. Is this spam, or the real deal?

With Intro, you can immediately see what David looks like, where he’s based, and what he does. You can see that he’s the CEO of Crosswise. This is the real deal.

This is not much different than Linkedin saying “we’ve put a picture of a lock in your email, so you know for sure it’s secure”. Linkedin is simply giving its users a false sense of security. In this post, we’ll take a look and see what exactly Linkedin is doing to its users’ email, as well as how we can spoof this information, gaining full control of the information shown to the user.

Read More

Automated Social Engineering Recon Using Rapportive


When performing a social engineering engagement, recon is key. In a previous post, I demonstrated a few ways in which we could automate the recon process. However, the methods I showed were simply ways to find the profiles of people that might belong to a particular organization.

During SE engagements, we often either run across email addresses (by, say, simply scraping the main website) or want to enumerate the email address structure in use by an organization (generating possible alternatives using tools like jigsaw.rb). It would be helpful if it were possible to automate the process of validating those email addresses by associating them to additional information or social networking profiles. This is where Rapportive comes in handy.

Read More