<div dir="ltr">Doesn't have to be webmail integration.  Theoretically the source could be any site that has articles with a LinkedIn share button (or comments system) and a "Click here to log in to the forums with your email address and password" button.<div>
<br></div><div>Since 90+% of people will have the same (easy) passwords for multiple services, and the LinkedIn script would be able to slurp up the form submissions on the site, that's the ballgame.</div><div><br></div>
<div>I sort of doubt this is happening though - I would think it would be a pretty big scandal if something like that were to come out.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Sep 22, 2013 at 7:31 PM, William Roush <span dir="ltr"><<a href="mailto:william.roush@roushtech.net" target="_blank">william.roush@roushtech.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <div><div class="im">>The easiest way I know of is to
      convince the owner of a domain to load a script you control.<br>
      <br></div>
      Yeah that is pretty much the easiest way, is there a LinkedIn
      integration out there that webmail clients are using? Ick...<div class="im"><br>
      <br>
      > How many pages do you visit that have those Facebook like /
      Tweet / Google +1 buttons on them?<br>
      <br></div>
      We also have miles of logs of people accessing said sites via
      their client-side APIs because of it, so they stick out like a
      sore thumb. My biggest gripe is that even with the Engineer from
      LinkedIn there is just hand-waving and paranoia. I'm used to the
      network security guys dumping proof online when accusations like
      this are made in that realm.<br>
      <br>
      It seems 99% of "it must be happening" is the paranoia that their
      relationships with people are more interconnected than they think
      they are, and that computer algorithms can figure them out.<span class="HOEnZb"><font color="#888888"><br>
      <br>
      <pre cols="72">William Roush
</pre></font></span><div><div class="h5">
      On 9/22/2013 3:50 PM, James Nylen wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">The easiest way I know of is to convince the owner
        of a domain to load a script you control.  Once you do that,
        technically all bets are off and you can capture any interaction
        with that domain.
        <div><br>
        </div>
        <div>How many pages do you visit that have those Facebook like /
          Tweet / Google +1 buttons on them?  Yeah... I think those
          scripts are worth blocking.</div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Sat, Sep 21, 2013 at 2:30 PM,
          William Roush <span dir="ltr"><<a href="mailto:william.roush@roushtech.net" target="_blank">william.roush@roushtech.net</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'll bite,
            how DO you gain control of a window you didn't spawn in
            javascript on a modern browser?<br>
            <br>
            I could see it being done with other technologies (ex: java
            applets?) or other exploits (XSS/CSRF), but I'd figure those
            would seem to be a lot easier to detect and we'd have
            evidence before this even came out.<span><font color="#888888"><br>
                <br>
                William Roush</font></span>
            <div>
              <div><br>
                <br>
                On 9/21/2013 2:03 PM, Mike Harrison wrote:<br>
                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                    I'd like to know what they mean by that...
                    cross-window, cross-domain exploits? Aren't those
                    nearly impossible on any modern browser?<br>
                  </blockquote>
                  <br>
                  Not impossible, but I'm waiting for a better
                  explaination of what really happened. LinkedIn and
                  other social media sites are often confusing to some
                  people, and they click [yes] and enter passwords
                  without thought.<br>
                  <br>
                  It might be as simple as morons that use the same
                  password for email as<br>
                  things like LinkedIn, Facebook..<br>
                  _______________________________________________<br>
                  Chugalug mailing list<br>
                  <a href="mailto:Chugalug@chugalug.org" target="_blank">Chugalug@chugalug.org</a><br>
                  <a href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug" target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a><br>
                </blockquote>
                <br>
                _______________________________________________<br>
                Chugalug mailing list<br>
                <a href="mailto:Chugalug@chugalug.org" target="_blank">Chugalug@chugalug.org</a><br>
                <a href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug" target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a><br>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
Chugalug mailing list
<a href="mailto:Chugalug@chugalug.org" target="_blank">Chugalug@chugalug.org</a>
<a href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug" target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
Chugalug mailing list<br>
<a href="mailto:Chugalug@chugalug.org">Chugalug@chugalug.org</a><br>
<a href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug" target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a><br>
<br></blockquote></div><br></div>