X

LinkedIn's app transmits user data without their knowledge

iOS app collects users' calendar data and transmits it to the networking company's servers, without revealing the transmission to members, two mobile security researchers discover.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
See full bio
Steven Musil
2 min read
Calendar details leaked by LinkedIn's app.

LinkedIn's iOS app is collecting information from calendar entries, including passwords and meeting notes, and transmitting it back to the company's servers without their knowledge, according two mobile security researchers.

The business-networking giant's app for Apple's iPad and iPhone has an opt-in feature that allows users to view their calendar entries within the app. However, researchers Yair Amit and Adi Sharabani discovered that once enabled by the user, the app automatically transmits users' calendar entries back to LinkedIn servers. Amit and Sharabani expect to present their findings at a security workshop at Tel Aviv University tomorrow.

The transmission of data, which is not revealed to users, may violate Apple's privacy guidelines, which prohibit apps from collecting and transmitting users' data without their express permission. Controversy erupted earlier this year when Path -- a popular iOS and Android application -- was found to be collecting user contact information without permission. Path issued an apology on the issue and introduced an updated version that required users to opt-in to the feature.

Apple promised a fix that would prevent the behavior in the future, and a U.S. House subcommittee sent a letter to Apple asking why it doesn't force app developers to ask users for permission before downloading contacts.

Related stories

The researchers said they had contacted LinkedIn about their findings but that the issue has yet to be resolved. They also said they didn't believe the social network used the data in a malicious way.

"However, we are concerned by the fact it collects and sends-out sensitive information about its users, without a clear indication and consent," Amit said in a blog post describing the issue.

While user contact data is valuable in helping to attract more users to the app, the researchers said there was no legitimate reason for LinkedIn to be collecting calendar data.

"The biggest problematic factor lies in the fact that most of the transmitted information is not required for the app's functionality," Amit said.

LinkedIn representatives did not immediately respond to a CNET request for comment but pointed out to the New York Times that the feature is an "opt-in experience" that users can opt out of at any time.

"We use information from the meeting data to match LinkedIn profile information about who you're meeting with so you have more information about that person," LinkedIn spokesperson Julie Inouye said.

CNET has contacted Apple and will update this report when we learn more.

Updated at 8:55 p.m. PT with link to blog.