this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

From: Rod 
 From /. :
cold fjord writes with this Business Week report:
"LinkedIn Corp. ... was sued by customers who claim the company  
appropriated their identities for marketing purposes by hacking into their  
external e-mail accounts and downloading contacts' addresses. The  
customers, who aim to lead a group suit against LinkedIn, asked a federal  
judge in San Jose, California, to bar the company from repeating the  
alleged violations and to force it to return any revenue stemming from its  
use of their identities to promote the site ... 'LinkedIn's own website  
contains hundreds of complaints regarding this practice,' they said in the  
complaint filed Sept. 17. ... LinkedIn required the members to provide an  
external e-mail address as their username on its site, then used the  
information to access their external e-mail accounts when they were left  
open ... 'LinkedIn pretends to be that user and downloads the e-mail  
addresses contained anywhere in that account to LinkedIn's servers,' they  
said. 'LinkedIn is able to download these addresses without requesting the  
password for the external e-mail accounts or obtaining users' consent.'"
"This puts an interesting twist on LinkedIn's recent call for  
transparency," adds cold fjord. (More at Bloomberg.)

Using Opera's mail client:

=============================================================== From: William Roush ------------------------------------------------------ I'm really interested in the HOW here. I know LinkedIn can store your e-mail credentials for this purpose, but that is something you do yourself. There is some discussion of LinkedIn relying on exploits, that seems like a lot of work for what is a crapshoot in being able to pull contacts, especially when they have a system that even the more technical-savvy on Slashdot were willing to use... It helps having keypass, there is additional discussion that it's simply UI confusion, and if you use the same password for both systems, you think you're giving your password for LinkedIn (you always log in with your e-mail address), when really it's asking access to your contact list. > "then used the information to access their external e-mail accounts when they were left open," I'd like to know what they mean by that... cross-window, cross-domain exploits? Aren't those nearly impossible on any modern browser? William Roush

=============================================================== From: Mike Harrison ------------------------------------------------------ Not impossible, but I'm waiting for a better explaination of what really happened. LinkedIn and other social media sites are often confusing to some people, and they click [yes] and enter passwords without thought. It might be as simple as morons that use the same password for email as things like LinkedIn, Facebook..

=============================================================== From: William Roush ------------------------------------------------------ I'll bite, how DO you gain control of a window you didn't spawn in javascript on a modern browser? I could see it being done with other technologies (ex: java applets?) or other exploits (XSS/CSRF), but I'd figure those would seem to be a lot easier to detect and we'd have evidence before this even came out. William Roush

=============================================================== From: Mike Harrison ------------------------------------------------------ RGVtbyB1bmRlciBjb25zdHJ1Y3Rpb24uLi4uCgoKRnJvbSBteSBBbmRyb2lkIHBob25lIG9uIFQt TW9iaWxlLiBUaGUgZmlyc3QgbmF0aW9ud2lkZSA0RyBuZXR3b3JrLgoKLS0tLS0tLS0gT3JpZ2lu YWwgbWVzc2FnZSAtLS0tLS0tLQpGcm9tOiBXaWxsaWFtIFJvdXNoIDx3aWxsaWFtLnJvdXNoQHJv dXNodGVjaC5uZXQ+IApEYXRlOiAwOS8yMS8yMDEzICAyOjMwIFBNICAoR01ULTA1OjAwKSAKVG86 IENoYXR0YW5vb2dhIFVuaXggR251IEFuZHJvaWQgTGludXggVXNlcnMgR3JvdXAgPGNodWdhbHVn QGNodWdhbHVnLm9yZz4gClN1YmplY3Q6IFJlOiBbQ2h1Z2FsdWddIHRoaXMgYWluJ3Qga29zaGVy OkxpbmtlZEluIEFjY3VzZWQgb2YgSGFja2luZyBDdXN0b21lcnMnIEUtTWFpbHMgVG8gU2x1cnAg VXAgQ29udGFjdHMgCiAKSSdsbCBiaXRlLCBob3cgRE8geW91IGdhaW4gY29udHJvbCBvZiBhIHdp bmRvdyB5b3UgZGlkbid0IHNwYXduIGluIApqYXZhc2NyaXB0IG9uIGEgbW9kZXJuIGJyb3dzZXI/ CgpJIGNvdWxkIHNlZSBpdCBiZWluZyBkb25lIHdpdGggb3RoZXIgdGVjaG5vbG9naWVzIChleDog amF2YSBhcHBsZXRzPykgb3IgCm90aGVyIGV4cGxvaXRzIChYU1MvQ1NSRiksIGJ1dCBJJ2QgZmln dXJlIHRob3NlIHdvdWxkIHNlZW0gdG8gYmUgYSBsb3QgCmVhc2llciB0byBkZXRlY3QgYW5kIHdl J2QgaGF2ZSBldmlkZW5jZSBiZWZvcmUgdGhpcyBldmVuIGNhbWUgb3V0LgoKV2lsbGlhbSBSb3Vz aAoKT24gOS8yMS8yMDEzIDI6MDMgUE0sIE1pa2UgSGFycmlzb24gd3JvdGU6Cj4+IEknZCBsaWtl IHRvIGtub3cgd2hhdCB0aGV5IG1lYW4gYnkgdGhhdC4uLiBjcm9zcy13aW5kb3csIGNyb3NzLWRv bWFpbiAKPj4gZXhwbG9pdHM/IEFyZW4ndCB0aG9zZSBuZWFybHkgaW1wb3NzaWJsZSBvbiBhbnkg bW9kZXJuIGJyb3dzZXI/Cj4KPiBOb3QgaW1wb3NzaWJsZSwgYnV0IEknbSB3YWl0aW5nIGZvciBh IGJldHRlciBleHBsYWluYXRpb24gb2Ygd2hhdCAKPiByZWFsbHkgaGFwcGVuZWQuIExpbmtlZElu IGFuZCBvdGhlciBzb2NpYWwgbWVkaWEgc2l0ZXMgYXJlIG9mdGVuIAo+IGNvbmZ1c2luZyB0byBz b21lIHBlb3BsZSwgYW5kIHRoZXkgY2xpY2sgW3llc10gYW5kIGVudGVyIHBhc3N3b3JkcyAKPiB3 aXRob3V0IHRob3VnaHQuCj4KPiBJdCBtaWdodCBiZSBhcyBzaW1wbGUgYXMgbW9yb25zIHRoYXQg dXNlIHRoZSBzYW1lIHBhc3N3b3JkIGZvciBlbWFpbCBhcwo+IHRoaW5ncyBsaWtlIExpbmtlZElu LCBGYWNlYm9vay4uCj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX18KPiBDaHVnYWx1ZyBtYWlsaW5nIGxpc3QKPiBDaHVnYWx1Z0BjaHVnYWx1Zy5vcmcKPiBo dHRwOi8vY2h1Z2FsdWcub3JnL2NnaS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1ZwoKX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcgbWFp bGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2NnaS1i aW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: James Nylen ------------------------------------------------------ The easiest way I know of is to convince the owner of a domain to load a script you control. Once you do that, technically all bets are off and you can capture any interaction with that domain. How many pages do you visit that have those Facebook like / Tweet / Google +1 buttons on them? Yeah... I think those scripts are worth blocking. On Sat, Sep 21, 2013 at 2:30 PM, William Roush wrote:

=============================================================== From: William Roush ------------------------------------------------------ >The easiest way I know of is to convince the owner of a domain to load a script you control. Yeah that is pretty much the easiest way, is there a LinkedIn integration out there that webmail clients are using? Ick... > How many pages do you visit that have those Facebook like / Tweet / Google +1 buttons on them? We also have miles of logs of people accessing said sites via their client-side APIs because of it, so they stick out like a sore thumb. My biggest gripe is that even with the Engineer from LinkedIn there is just hand-waving and paranoia. I'm used to the network security guys dumping proof online when accusations like this are made in that realm. It seems 99% of "it must be happening" is the paranoia that their relationships with people are more interconnected than they think they are, and that computer algorithms can figure them out. William Roush

=============================================================== From: James Nylen ------------------------------------------------------ Doesn't have to be webmail integration. Theoretically the source could be any site that has articles with a LinkedIn share button (or comments system) and a "Click here to log in to the forums with your email address and password" button. Since 90+% of people will have the same (easy) passwords for multiple services, and the LinkedIn script would be able to slurp up the form submissions on the site, that's the ballgame. I sort of doubt this is happening though - I would think it would be a pretty big scandal if something like that were to come out. On Sun, Sep 22, 2013 at 7:31 PM, William Roush wrote:

=============================================================== From: William Roush ------------------------------------------------------ Yeah I did entertain that idea earlier in the thread, if they are doing something fishy, I suspect that is it. You'll probably get in 99% of the time. William Roush