[Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

James Nylen jnylen at gmail.com
Tue Sep 24 20:30:22 UTC 2013


Doesn't have to be webmail integration.  Theoretically the source could be
any site that has articles with a LinkedIn share button (or comments
system) and a "Click here to log in to the forums with your email address
and password" button.

Since 90+% of people will have the same (easy) passwords for multiple
services, and the LinkedIn script would be able to slurp up the form
submissions on the site, that's the ballgame.

I sort of doubt this is happening though - I would think it would be a
pretty big scandal if something like that were to come out.


On Sun, Sep 22, 2013 at 7:31 PM, William Roush
<william.roush at roushtech.net>wrote:

>  >The easiest way I know of is to convince the owner of a domain to load
> a script you control.
>
> Yeah that is pretty much the easiest way, is there a LinkedIn integration
> out there that webmail clients are using? Ick...
>
>
> > How many pages do you visit that have those Facebook like / Tweet /
> Google +1 buttons on them?
>
> We also have miles of logs of people accessing said sites via their
> client-side APIs because of it, so they stick out like a sore thumb. My
> biggest gripe is that even with the Engineer from LinkedIn there is just
> hand-waving and paranoia. I'm used to the network security guys dumping
> proof online when accusations like this are made in that realm.
>
> It seems 99% of "it must be happening" is the paranoia that their
> relationships with people are more interconnected than they think they are,
> and that computer algorithms can figure them out.
>
> William Roush
>
> On 9/22/2013 3:50 PM, James Nylen wrote:
>
> The easiest way I know of is to convince the owner of a domain to load a
> script you control.  Once you do that, technically all bets are off and you
> can capture any interaction with that domain.
>
>  How many pages do you visit that have those Facebook like / Tweet /
> Google +1 buttons on them?  Yeah... I think those scripts are worth
> blocking.
>
>
> On Sat, Sep 21, 2013 at 2:30 PM, William Roush <
> william.roush at roushtech.net> wrote:
>
>> I'll bite, how DO you gain control of a window you didn't spawn in
>> javascript on a modern browser?
>>
>> I could see it being done with other technologies (ex: java applets?) or
>> other exploits (XSS/CSRF), but I'd figure those would seem to be a lot
>> easier to detect and we'd have evidence before this even came out.
>>
>> William Roush
>>
>>
>> On 9/21/2013 2:03 PM, Mike Harrison wrote:
>>
>>>  I'd like to know what they mean by that... cross-window, cross-domain
>>>> exploits? Aren't those nearly impossible on any modern browser?
>>>>
>>>
>>> Not impossible, but I'm waiting for a better explaination of what really
>>> happened. LinkedIn and other social media sites are often confusing to some
>>> people, and they click [yes] and enter passwords without thought.
>>>
>>> It might be as simple as morons that use the same password for email as
>>> things like LinkedIn, Facebook..
>>> _______________________________________________
>>> Chugalug mailing list
>>> Chugalug at chugalug.org
>>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>
>>
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>
>
>
> _______________________________________________
> Chugalug mailing listChugalug at chugalug.orghttp://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130924/fe5d4f4e/attachment-0001.html>


More information about the Chugalug mailing list