[Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

William Roush william.roush at roushtech.net
Sat Sep 21 17:04:20 UTC 2013

I'm really interested in the HOW here. I know LinkedIn can store your 
e-mail credentials for this purpose, but that is something you do yourself.

There is some discussion of LinkedIn relying on exploits, that seems 
like a lot of work for what is a crapshoot in being able to pull 
contacts, especially when they have a system that even the more 
technical-savvy on Slashdot were willing to use...

It helps having keypass, there is additional discussion that it's simply 
UI confusion, and if you use the same password for both systems, you 
think you're giving your password for LinkedIn (you always log in with 
your e-mail address), when really it's asking access to your contact list.

 > "then used the information to access their external e-mail accounts 
when they were left open,"

I'd like to know what they mean by that... cross-window, cross-domain 
exploits? Aren't those nearly impossible on any modern browser?

William Roush

On 9/21/2013 12:42 PM, Rod wrote:
> From /. :
> cold fjord writes with this Business Week report:
> "LinkedIn Corp. ... was sued by customers who claim the company 
> appropriated their identities for marketing purposes by hacking into 
> their external e-mail accounts and downloading contacts' addresses. 
> The customers, who aim to lead a group suit against LinkedIn, asked a 
> federal judge in San Jose, California, to bar the company from 
> repeating the alleged violations and to force it to return any revenue 
> stemming from its use of their identities to promote the site ... 
> 'LinkedIn's own website contains hundreds of complaints regarding this 
> practice,' they said in the complaint filed Sept. 17. ... LinkedIn 
> required the members to provide an external e-mail address as their 
> username on its site, then used the information to access their 
> external e-mail accounts when they were left open ... 'LinkedIn 
> pretends to be that user and downloads the e-mail addresses contained 
> anywhere in that account to LinkedIn's servers,' they said. 'LinkedIn 
> is able to download these addresses without requesting the password 
> for the external e-mail accounts or obtaining users' consent.'"
> "This puts an interesting twist on LinkedIn's recent call for 
> transparency," adds cold fjord. (More at Bloomberg.)
> http://tech.slashdot.org/story/13/09/21/1258235/linkedin-accused-of-hacking-customers-e-mails-to-slurp-up-contacts 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130921/984344bc/attachment.html>

More information about the Chugalug mailing list