[Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

William Roush william.roush at roushtech.net
Sun Sep 22 23:31:46 UTC 2013


 >The easiest way I know of is to convince the owner of a domain to load 
a script you control.

Yeah that is pretty much the easiest way, is there a LinkedIn 
integration out there that webmail clients are using? Ick...

 > How many pages do you visit that have those Facebook like / Tweet / 
Google +1 buttons on them?

We also have miles of logs of people accessing said sites via their 
client-side APIs because of it, so they stick out like a sore thumb. My 
biggest gripe is that even with the Engineer from LinkedIn there is just 
hand-waving and paranoia. I'm used to the network security guys dumping 
proof online when accusations like this are made in that realm.

It seems 99% of "it must be happening" is the paranoia that their 
relationships with people are more interconnected than they think they 
are, and that computer algorithms can figure them out.

William Roush

On 9/22/2013 3:50 PM, James Nylen wrote:
> The easiest way I know of is to convince the owner of a domain to load 
> a script you control.  Once you do that, technically all bets are off 
> and you can capture any interaction with that domain.
>
> How many pages do you visit that have those Facebook like / Tweet / 
> Google +1 buttons on them?  Yeah... I think those scripts are worth 
> blocking.
>
>
> On Sat, Sep 21, 2013 at 2:30 PM, William Roush 
> <william.roush at roushtech.net <mailto:william.roush at roushtech.net>> wrote:
>
>     I'll bite, how DO you gain control of a window you didn't spawn in
>     javascript on a modern browser?
>
>     I could see it being done with other technologies (ex: java
>     applets?) or other exploits (XSS/CSRF), but I'd figure those would
>     seem to be a lot easier to detect and we'd have evidence before
>     this even came out.
>
>     William Roush
>
>
>     On 9/21/2013 2:03 PM, Mike Harrison wrote:
>
>             I'd like to know what they mean by that... cross-window,
>             cross-domain exploits? Aren't those nearly impossible on
>             any modern browser?
>
>
>         Not impossible, but I'm waiting for a better explaination of
>         what really happened. LinkedIn and other social media sites
>         are often confusing to some people, and they click [yes] and
>         enter passwords without thought.
>
>         It might be as simple as morons that use the same password for
>         email as
>         things like LinkedIn, Facebook..
>         _______________________________________________
>         Chugalug mailing list
>         Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
>         http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>     _______________________________________________
>     Chugalug mailing list
>     Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
>     http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130922/b9559167/attachment.html>


More information about the Chugalug mailing list