'Dads from the Midwest' pull down their email-spaffing LinkedIn plugin A controversial browser plug-in that offered to reveal LinkedIn users’ private email addresses has been withdrawn by its developers, at least for now. Sell Hack added a “Hack In” button to LinkedIn profiles, which sometimes (but not always) displayed email addresses that supposedly allowed users to contact LinkedIn users …
View a profile page in LinkedIn whether or not you are a "connection".
"View Source".
Search the source for "@"
And there you find that user's registered email address.
In my opinion, this is unforgivably bad practice. Don't give LinkedIn a genuine email address. I think the only reason most people don't notice the spam-vuln is because LinkedIn send so much fucking spam themselves.
So what I take from this is that this vuln (whether or not it is the one the miscreant plugin exploits) requires you to be logged-in to access the email addy.
Not being a LinkedIn member myself, can I ask:
1. How bullshitable are they? That is, how strong is their validation that your identity is real and unique?
2. What's the difference between when another member should and shouldn't be able to see this information on the page anyway? (Or are you specifying that the registration email address can differ from that listed for limited publication in one's profile, and that if so it's the former that's being spaffed? That would indeed be extremely bad.)
3. Anecdotally, do you reckon there are many source-botherers on there? Clearly you are, but it always struck me more as a managers' playground. Just wondering if it has that many denizens who'd even consider viewing the source (not that this would mitigate the vuln really but...)
There are a large number of IT workers registered on LinkdIn, and not all of them management.
Yeah. Me for instance. Never got anything useful out of it though which is why my last email address is now blacklisted and an alternative hasn't been provided.
1. How bullshitable are they? That is, how strong is their validation that your identity is real and unique?
Given a disposable email address, you could get far enough to log in and you only need to be logged in to use this vulnerability. So, pretty bullshittable.
2. What's the difference between when another member should and shouldn't be able to see this information on the page anyway? (Or are you specifying that the registration email address can differ from that listed for limited publication in one's profile, and that if so it's the former that's being spaffed? That would indeed be extremely bad.)
A "connection" - somebody you've given access to your details - could just send you an on-site message which LinkedIn would spam you with anyway but they couldn't see your email address. They actually sell the addresses to employment agencies as a paid service, which I find ironic.
And yes, it's the registration address that's in the source.
3. Anecdotally, do you reckon there are many source-botherers on there? Clearly you are, but it always struck me more as a managers' playground. Just wondering if it has that many denizens who'd even consider viewing the source (not that this would mitigate the vuln really but...)
Put it this way - unless there's somebody you specifically wanted to connect with (I did) then if you're the kind to wrangle source code at the 'raw bits' level, you have no real reason to be on LinkedIn because it's only useful for getting you a job or finding somebody you used to work with. However, there an awful lot of developers of the type who struggle to find work on there, if you understand me.
Probably some of those get bored. Me, I just wanted to know what the plugin did so I installed it and looked at what it was really up to.
"I'm not trolling. Did you log in?
This is pretty much what the plugin does."
I logged in, and I only found the email address in the source of some profiles, but not all - and those were ones on which the email address is visible when you click the 'Contact Info' button (my connections).
From the article, this browser plug-in "sometimes (but not always) displayed email addresses that supposedly allowed users to contact LinkedIn users directly by email" - I can't help but wonder if the ones it displayed were the ones where the user would have seen had they clicked 'Contact Info' anyway.
I logged in, and I only found the email address in the source of some profiles, but not all - and those were ones on which the email address is visible when you click the 'Contact Info' button (my connections).
Indeed, you can opt to share your contact details to anyone, but that is NOT a vulnerability, it is the choice of the user.
I tried logged in and logged out.
Logged in, I checked a number of profiles that are not linked (because when linked, you have access to that info). No address to be seen.
Logged out + anonymous browser mode, I checked my own profile and a few I know to provide their address to me. Couldn't find any trace.
Would not mind standing corrected but do tell me exactly HOW I can see them. Log in or out? View connected profile or not? The devil might be in the details but I honestly can't find anything wrong so far.
"Well done, you actually had me look at this before I discovered you're just trolling.... no address to be found on the ones I checked."
He's not trolling, that trick actually does work (I just tried from the UK), consequently I fully agree with the assessment that they are dangerous amateurs. Sadly they didn't even bother obfuscating the @. :(
You are not the only one to be Clueless though, the oft quoted Clueley concluded that "I really don’t feel as if [linked in] have handled this situation badly at all"...
Do you have some interest in Linked In publishing it's customer's email addresses on publicly viewable pages ?
> You are not the only one to be Clueless though, the oft quoted Clueley concluded that "I really don’t feel as if [linked in] have handled this situation badly at all"...
I really don't feel that Graham Clueley has any fucking idea how insecure LinkedIn actually are.
This kind of comment on the basis of no analysis whatsoever is exactly what's wrong with current journalism and what the grauniad still insists on calling the "blogosphere".
This is yet another Linkedin fail in particular and social media fail in general.
1: Create a new email real address you can abandon or delete later. It needs to work.
2: Add it to Linkedin and confirm it
--- 3. now you can make the new address the Primary and delete everything including the "real" email addresses.
4. rename your self and add false country and profession
5. logout
6. Delete temporary specially created email address in (1) or never access it.
I've been on Linkedin over 6 years maybe and had recently begun to think it was as useless as Facebook.
"LinkedIn seems to be just a massive spam magnet. I've no idea why anyone would want to be on it."
In the past I've used it to recruit many hundreds of technical staff. The results are a lot better than using a recruitment agent who merely keyword match and has not one iota of understanding of your requirement, even if they swear blind they do.
And just recently, two days after updating my profile to "looking for work" someone out of the blue contacted me and then offered me a job. A good one.
I'm no Linkedin shill, but for me, the results have spoken for themselves. However, leaving a user's email address in the web page source and then getting all indignant when someone scrapes it, does make them appear to be lacking some important qualities.
But if you are logged into LinkedIn, then to contact someone you might as well send them the friend request or whatever it's called and do it inhouse.
If you don't want to do it that way, then you take what details they have revealed - eg Company name, location and put them into google and find the company's address etc.
Personally, I use Linked in for access to some relevant groups of technical people. I've had a couple of connection requests from people I barely know through some business related transaction, or through the aforementioned groups. All other requests are from people I do already know well. No intention of connecting with some of the people I actually work with though.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
