back to article 'Dads from the Midwest' pull down their email-spaffing LinkedIn plugin

A controversial browser plug-in that offered to reveal LinkedIn users’ private email addresses has been withdrawn by its developers, at least for now. Sell Hack added a “Hack In” button to LinkedIn profiles, which sometimes (but not always) displayed email addresses that supposedly allowed users to contact LinkedIn users …

COMMENTS

This topic is closed for new posts.
  1. dogged
    Alert

    LinkedIn are dangerous amateurs

    View a profile page in LinkedIn whether or not you are a "connection".

    "View Source".

    Search the source for "@"

    And there you find that user's registered email address.

    In my opinion, this is unforgivably bad practice. Don't give LinkedIn a genuine email address. I think the only reason most people don't notice the spam-vuln is because LinkedIn send so much fucking spam themselves.

    1. petur
      Trollface

      Re: LinkedIn are dangerous amateurs

      Well done, you actually had me look at this before I discovered you're just trolling.... no address to be found on the ones I checked.

      1. dogged

        Re: LinkedIn are dangerous amateurs

        I'm not trolling. Did you log in?

        This is pretty much what the plugin does.

        1. Havin_it
          IT Angle

          @dogged Re: LinkedIn are dangerous amateurs

          So what I take from this is that this vuln (whether or not it is the one the miscreant plugin exploits) requires you to be logged-in to access the email addy.

          Not being a LinkedIn member myself, can I ask:

          1. How bullshitable are they? That is, how strong is their validation that your identity is real and unique?

          2. What's the difference between when another member should and shouldn't be able to see this information on the page anyway? (Or are you specifying that the registration email address can differ from that listed for limited publication in one's profile, and that if so it's the former that's being spaffed? That would indeed be extremely bad.)

          3. Anecdotally, do you reckon there are many source-botherers on there? Clearly you are, but it always struck me more as a managers' playground. Just wondering if it has that many denizens who'd even consider viewing the source (not that this would mitigate the vuln really but...)

          1. AbelSoul

            Re: @dogged LinkedIn are dangerous amateurs

            it always struck me more as a managers' playground. Just wondering if it has that many denizens who'd even consider viewing the source

            There are a large number of IT workers registered on LinkdIn, and not all of them management.

            1. AndrueC Silver badge
              Thumb Up

              Re: @dogged LinkedIn are dangerous amateurs

              There are a large number of IT workers registered on LinkdIn, and not all of them management.

              Yeah. Me for instance. Never got anything useful out of it though which is why my last email address is now blacklisted and an alternative hasn't been provided.

          2. dogged

            Re: @dogged LinkedIn are dangerous amateurs

            1. How bullshitable are they? That is, how strong is their validation that your identity is real and unique?

            Given a disposable email address, you could get far enough to log in and you only need to be logged in to use this vulnerability. So, pretty bullshittable.

            2. What's the difference between when another member should and shouldn't be able to see this information on the page anyway? (Or are you specifying that the registration email address can differ from that listed for limited publication in one's profile, and that if so it's the former that's being spaffed? That would indeed be extremely bad.)

            A "connection" - somebody you've given access to your details - could just send you an on-site message which LinkedIn would spam you with anyway but they couldn't see your email address. They actually sell the addresses to employment agencies as a paid service, which I find ironic.

            And yes, it's the registration address that's in the source.

            3. Anecdotally, do you reckon there are many source-botherers on there? Clearly you are, but it always struck me more as a managers' playground. Just wondering if it has that many denizens who'd even consider viewing the source (not that this would mitigate the vuln really but...)

            Put it this way - unless there's somebody you specifically wanted to connect with (I did) then if you're the kind to wrangle source code at the 'raw bits' level, you have no real reason to be on LinkedIn because it's only useful for getting you a job or finding somebody you used to work with. However, there an awful lot of developers of the type who struggle to find work on there, if you understand me.

            Probably some of those get bored. Me, I just wanted to know what the plugin did so I installed it and looked at what it was really up to.

        2. VinceH Silver badge

          Re: LinkedIn are dangerous amateurs

          "I'm not trolling. Did you log in?

          This is pretty much what the plugin does."

          I logged in, and I only found the email address in the source of some profiles, but not all - and those were ones on which the email address is visible when you click the 'Contact Info' button (my connections).

          From the article, this browser plug-in "sometimes (but not always) displayed email addresses that supposedly allowed users to contact LinkedIn users directly by email" - I can't help but wonder if the ones it displayed were the ones where the user would have seen had they clicked 'Contact Info' anyway.

          1. petur

            Re: LinkedIn are dangerous amateurs

            I logged in, and I only found the email address in the source of some profiles, but not all - and those were ones on which the email address is visible when you click the 'Contact Info' button (my connections).

            Indeed, you can opt to share your contact details to anyone, but that is NOT a vulnerability, it is the choice of the user.

        3. petur

          Re: LinkedIn are dangerous amateurs

          I tried logged in and logged out.

          Logged in, I checked a number of profiles that are not linked (because when linked, you have access to that info). No address to be seen.

          Logged out + anonymous browser mode, I checked my own profile and a few I know to provide their address to me. Couldn't find any trace.

          Would not mind standing corrected but do tell me exactly HOW I can see them. Log in or out? View connected profile or not? The devil might be in the details but I honestly can't find anything wrong so far.

      2. Roo

        Re: LinkedIn are dangerous amateurs

        "Well done, you actually had me look at this before I discovered you're just trolling.... no address to be found on the ones I checked."

        He's not trolling, that trick actually does work (I just tried from the UK), consequently I fully agree with the assessment that they are dangerous amateurs. Sadly they didn't even bother obfuscating the @. :(

        You are not the only one to be Clueless though, the oft quoted Clueley concluded that "I really don’t feel as if [linked in] have handled this situation badly at all"...

        Do you have some interest in Linked In publishing it's customer's email addresses on publicly viewable pages ?

        1. AndrueC Silver badge
          Flame

          Re: LinkedIn are dangerous amateurs

          It has your work number as well.

          Anyway this may well explain why twice now I've had to blacklist the email address I've given them and issue a new one. Cretins.

          1. Adrian 4 Silver badge

            Re: LinkedIn are dangerous amateurs

            Better solution : delete your profile, spam-block their email.

        2. dogged

          Re: LinkedIn are dangerous amateurs

          > You are not the only one to be Clueless though, the oft quoted Clueley concluded that "I really don’t feel as if [linked in] have handled this situation badly at all"...

          I really don't feel that Graham Clueley has any fucking idea how insecure LinkedIn actually are.

          This kind of comment on the basis of no analysis whatsoever is exactly what's wrong with current journalism and what the grauniad still insists on calling the "blogosphere".

  2. Anonymous Coward
    Anonymous Coward

    Security at its very best

    Wish the problem away. It works for Ostriches after all.

    1. I. Aproveofitspendingonspecificprojects
      Headmaster

      What's the problem?

      Don't look at me like that. I just came here to see if anyone knew the first language of the person that wrote the article. Chinese Spammer or what?

  3. Mage Silver badge

    Plugin isn't the problem

    This is yet another Linkedin fail in particular and social media fail in general.

    1: Create a new email real address you can abandon or delete later. It needs to work.

    2: Add it to Linkedin and confirm it

    --- 3. now you can make the new address the Primary and delete everything including the "real" email addresses.

    4. rename your self and add false country and profession

    5. logout

    6. Delete temporary specially created email address in (1) or never access it.

    I've been on Linkedin over 6 years maybe and had recently begun to think it was as useless as Facebook.

  4. Ian 45

    Cannot believe it!

    Its true, just look in the source and you get the email address. Wow, that is a massive blunder and surely a breach of data protection?

    1. Version 1.0 Silver badge

      Re: Cannot believe it!

      I'm not seeing it work at all - @ is found once on the page:

      // controlIds to be flushed explicitly, set from @jsControlFlush

      1. Ian 45

        Re: Cannot believe it!

        Its not on all the profiles I tried, a couple showed. Although anyone I had a connection with had it every time.

      2. Roland6 Silver badge

        Re: Cannot believe it! @Version 1.0

        Also not seeing it in either IE8 or Chrome on XP (using display/view source) ; signed in or not to LinkedIn UK; connections or un-connected profiles.

        What I have noticed is that some contacts have included their email address within their published profile...

  5. Dexter
    Devil

    LinkedIn seems to be just a massive spam magnet. I've no idea why anyone would want to be on it.

    1. Anonymous Coward
      Anonymous Coward

      "LinkedIn seems to be just a massive spam magnet. I've no idea why anyone would want to be on it."

      In the past I've used it to recruit many hundreds of technical staff. The results are a lot better than using a recruitment agent who merely keyword match and has not one iota of understanding of your requirement, even if they swear blind they do.

      And just recently, two days after updating my profile to "looking for work" someone out of the blue contacted me and then offered me a job. A good one.

      I'm no Linkedin shill, but for me, the results have spoken for themselves. However, leaving a user's email address in the web page source and then getting all indignant when someone scrapes it, does make them appear to be lacking some important qualities.

  6. Anonymous Coward
    Anonymous Coward

    Maybe I'm missing the point

    But if you are logged into LinkedIn, then to contact someone you might as well send them the friend request or whatever it's called and do it inhouse.

    If you don't want to do it that way, then you take what details they have revealed - eg Company name, location and put them into google and find the company's address etc.

    Personally, I use Linked in for access to some relevant groups of technical people. I've had a couple of connection requests from people I barely know through some business related transaction, or through the aforementioned groups. All other requests are from people I do already know well. No intention of connecting with some of the people I actually work with though.

  7. Anonymous Coward
    Anonymous Coward

    Anagram corner

    "business social network"

    A Subsistence Link Or Sow

    Oink!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019