[Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts
jnylen at gmail.com
Tue Sep 24 20:30:22 UTC 2013
Doesn't have to be webmail integration. Theoretically the source could be
any site that has articles with a LinkedIn share button (or comments
system) and a "Click here to log in to the forums with your email address
and password" button.
Since 90+% of people will have the same (easy) passwords for multiple
services, and the LinkedIn script would be able to slurp up the form
submissions on the site, that's the ballgame.
I sort of doubt this is happening though - I would think it would be a
pretty big scandal if something like that were to come out.
On Sun, Sep 22, 2013 at 7:31 PM, William Roush
<william.roush at roushtech.net>wrote:
> >The easiest way I know of is to convince the owner of a domain to load
> a script you control.
> Yeah that is pretty much the easiest way, is there a LinkedIn integration
> out there that webmail clients are using? Ick...
> > How many pages do you visit that have those Facebook like / Tweet /
> Google +1 buttons on them?
> We also have miles of logs of people accessing said sites via their
> client-side APIs because of it, so they stick out like a sore thumb. My
> biggest gripe is that even with the Engineer from LinkedIn there is just
> hand-waving and paranoia. I'm used to the network security guys dumping
> proof online when accusations like this are made in that realm.
> It seems 99% of "it must be happening" is the paranoia that their
> relationships with people are more interconnected than they think they are,
> and that computer algorithms can figure them out.
> William Roush
> On 9/22/2013 3:50 PM, James Nylen wrote:
> The easiest way I know of is to convince the owner of a domain to load a
> script you control. Once you do that, technically all bets are off and you
> can capture any interaction with that domain.
> How many pages do you visit that have those Facebook like / Tweet /
> Google +1 buttons on them? Yeah... I think those scripts are worth
> On Sat, Sep 21, 2013 at 2:30 PM, William Roush <
> william.roush at roushtech.net> wrote:
>> I'll bite, how DO you gain control of a window you didn't spawn in
>> I could see it being done with other technologies (ex: java applets?) or
>> other exploits (XSS/CSRF), but I'd figure those would seem to be a lot
>> easier to detect and we'd have evidence before this even came out.
>> William Roush
>> On 9/21/2013 2:03 PM, Mike Harrison wrote:
>>> I'd like to know what they mean by that... cross-window, cross-domain
>>>> exploits? Aren't those nearly impossible on any modern browser?
>>> Not impossible, but I'm waiting for a better explaination of what really
>>> happened. LinkedIn and other social media sites are often confusing to some
>>> people, and they click [yes] and enter passwords without thought.
>>> It might be as simple as morons that use the same password for email as
>>> things like LinkedIn, Facebook..
>>> Chugalug mailing list
>>> Chugalug at chugalug.org
>> Chugalug mailing list
>> Chugalug at chugalug.org
> Chugalug mailing listChugalug at chugalug.orghttp://chugalug.org/cgi-bin/mailman/listinfo/chugalug
> Chugalug mailing list
> Chugalug at chugalug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Chugalug