Why you should care about the LinkedIn calendar vulnerability

by danhon

So we found out today that LinkedIn’s iOS apps have been sending calendar data in plaintext in order to support a new feature – giving you background information on the people you’re meeting that day. Which, on its own, is potentially a pretty useful feature, and a nice way of bringing to life the more connected future we’ve been sold in numerous concept videos (stereotypically also displayed on transparent smart glass devices).

But the fact that this information is being sent in plaintext – clear, over 3G or wifi – is a problem. For one, because you don’t know it’s happening and there’s no signposting that this is what LinkedIn needs to do to enable the feature – it’s being done on their server side, not on your client side. So when the iOS app asks for access to your calendar, the user doesn’t potentially understand that access means “taking a copy of your data and sending it to LinkedIn”, and not knowing what they’re ultimately doing with all of that.

But secondly, it’s being sent in plaintext over the wire. That means anyone can read it.

Here’s why you should care:

You’re a suit – the kind of person who has lots of meetings with important people and you’re a road warrior who lives by your calendar. LinkedIn is part of your outboard brain because it’s how you keep track, in some way, with all of your contacts. It’s actually useful for you to have background information on the people you’re meeting with, especially when you’re in meetings with clients out on site.

But when you’re out on those client meetings, you’re connecting over guest wi-fi. And, corporate espionage being what it is, and terms and conditions for network guest access being what they are, it’s entirely reasonable for your client, or business prospect to monitor and log what happens over its guest wi-fi network.


Boom. Your business prospect – who you may or may not be on good terms with, just got access to your calendar. Names, dates, meetings.

It’s not about LinkedIn getting access to your calendar. They couldn’t care less. But who you’re meeting with? They might.

Yeah. You might not like that.