A day after it was revealed that LinkedIn was transmitting user data without their knowledge, the business network said it would discontinue the practice.
Mobile security researchers Yair Amit and Adi Sharabani discovered that once enabled by the user, an opt-in feature on the iOS app's calendar automatically transmits users' calendar entries, including passwords and meeting notes, back to LinkedIn servers. The transmission of data, which is not revealed to users, is thought to violate Apple's privacy guidelines, which prohibit apps from collecting and transmitting users' data without their express permission.
A LinkedIn representative explained last night that the company "use[s] information from the meeting data to match LinkedIn profile information about who you're meeting with so you have more information about that person."
However, the company announced today that it would alter the app to discontinue the practice.
"We will no longer send data from the meeting notes section of your calendar event," Joff Redfern, LinkedIn's head of mobile products, wrote in a blog today. He also said a new "learn more" link will be added to provide more information about how calendar data is used. He said the Android app had already been updated and that the iOS app had been submitted to Apple for approval.
The about-face on the calendar app comes on the same day LinkedIn conceded that some passwords on a list of allegedly stolen hashed passwords belong to its members, although it did not indicate how the site was compromised. The password list that was uploaded to a Russian hacker server (which has been removed from the site now) has nearly 6.5 million items, but it's not clear how many of the passwords were cracked.
The researchers presented their findings at a security workshop at Tel Aviv University today.