Your LinkedIn e-mail address is officially vulnerable

A LinkedIn account has become one of the "must haves" of the professional world and after hitting 200 million users last year, their success seems to be unstoppable. So what exactly has got them so worked up?

A browser extension called Sell Hack which is available for Firefox, Safari and Chrome allows you to uncover a user's e-mail address, regardless of whether or not you are connected to him/her. The tool was supposedly created for marketing professionals, however in reality that professional could simply use LinkedIn paid version. Sell Hack have said that they aren't doing anything illegal, instead they insist that they are simply the ones doing the heavy lifting so that you don't have to.

LinkedIn don't seem to be seeing things that way, making sure that they do everything in their power to shut down Sell Hack:

"We are doing everything we can to shut Sell Hack down. On 31 March LinkedIn's legal team delivered Sell Hack a cease-and-desist letter as a result of several violations" 

LinkedIn have insisted that all members who have download the Sell Hack, should immediately uninstall the extension as well as send a request to the developers asking them to remove their data. The same spokesman also advised to use caution when downloading any third party apps- what kind of spokesman would he be if he didn't, right?  

Sell Hack said that they have disabled the plug-in with the idea of developing a different extension that is compliant with LinkedIn's terms of service, though two days later the tool seems to still be available for download.

Source:  BBC | Image via sellhack.com

Report a problem with article
Previous Story

Windows Phone 8.1 name appears on Windows Phone store as announcement draws near

Next Story

Cortana shows up on Bing Settings page

21 Comments

Commenting is disabled on this article.

Why do people still think there is some degree of Internet privacy, even in light of frequent and massive security/data breaches?

I think they should not ask them to shutdown. They better to work harder on improve security and then thank them for find that security issue.

I've just checked something.

Because of their policy:

"We recommend you add at least one personal address and one work address."

I was able to login to my profile using two different emails with the same password.

So I've removed the secondary email and changed my password.

Fingers crossed.

Isn't the problem here actually down to poor security coding with LinkedIn's service exposing those email addresses in the first place? If this extension can get them, anybody can. This isn't the extensions fault.

Nik L said,
But this plugin does nothing a user can't do by viewing source?

Yep...peoples emails are in the source. Not really sure why the title of this article is "officially vulnerable". That's a bit misleading.

PhilTheThrill said,

Yep...peoples emails are in the source. Not really sure why the title of this article is "officially vulnerable". That's a bit misleading.

IMO exposing a user's email address in the source of a page, when it's supposed to be hidden, is definitely a vulnerability.

Majesticmerc said,

IMO exposing a user's email address in the source of a page, when it's supposed to be hidden, is definitely a vulnerability.

Is it supposed to be hidden? Where is that set or stated?

PhilTheThrill said,

Is it supposed to be hidden? Where is that set or stated?

Yeah, its supposed to be hidden if you're not connected to the person. You need to connect with them to see anything beyond the basic profile information, or you need to pay for a special account. However, because the email address is embedded in the source of the page, anyone can get hold of your email address and contact you privately.

Majesticmerc said,

Yeah, its supposed to be hidden if you're not connected to the person. You need to connect with them to see anything beyond the basic profile information, or you need to pay for a special account. However, because the email address is embedded in the source of the page, anyone can get hold of your email address and contact you privately.

Sort of my point. LinkedIn "obscure" the information in hopes of getting (less technical) users to pay for a signup. That's not the same as "supposed to be hidden". I didn't see anything in the user agreement or privacy policy that sets in stone that your email address is totally private...far from it.

PhilTheThrill said,

Sort of my point. LinkedIn "obscure" the information in hopes of getting (less technical) users to pay for a signup. That's not the same as "supposed to be hidden". I didn't see anything in the user agreement or privacy policy that sets in stone that your email address is totally private...far from it.

Fair enough, but if the data isn't entirely hidden, they can't exactly get their panties in a twist when someone finds a way to extract the data.

I checked a few profiles of both people I am connected to and not connected to while logged in and logged out, and there are no email addresses visible in the source. Is there some detail I am missing or did LinkedIn act fast to change this?

In any case, it's my email address, who cares. It's likely already been sold a thousand times over judging by the spam I get.

Not to mention all this information (and much, much more) is ridiculously easy to find through people-search websites like Intelius or Spokeo. So, I agree with the other commenter, "vulnerable" is spreading FUD.

teknix360 said,
I checked a few profiles of both people I am connected to and not connected to while logged in and logged out, and there are no email addresses visible in the source. Is there some detail I am missing or did LinkedIn act fast to change this?

In any case, it's my email address, who cares. It's likely already been sold a thousand times over judging by the spam I get.

Not to mention all this information (and much, much more) is ridiculously easy to find through people-search websites like Intelius or Spokeo. So, I agree with the other commenter, "vulnerable" is spreading FUD.

Usually just find source then CTRL+F and search for the "@" sign. Should quickly find any email addresses.

"A LinkedIn account has become one of the "must haves" of the professional world"

They're kidding, right?

Get a ton of spam from them in all 3 of my junk Gmail accounts!

I'd be more inclined to use Facebook or Twitter, neither of which I use, then this thing!

cork1958 said,
"A LinkedIn account has become one of the "must haves" of the professional world"

They're kidding, right?

Get a ton of spam from them in all 3 of my junk Gmail accounts!

I'd be more inclined to use Facebook or Twitter, neither of which I use, then this thing!

To each their own, but I disagree. I have a LinkedIn account for "professional use", and use it solely for networking with work colleagues and other contacts relevant to me at a career level. I'd certainly not use Twitter or Facebook for the same purposes.

Linked In "friend lists" are typically much smaller than the similar friend lists on Facebook or Twitter. I have about 120 Facebook "friends", and follow about 60 people on Twitter, but my Linked In contact list is about 30 close colleagues and university contacts.

Similarly, the information you put about yourself on Linked In is much different from what you'd put on Facebook. Facebook is more about your personal life, the social aspect of who you are, whereas Linked In places an emphasis on things like qualifications, skills, commendations, and such.

Is it a must have account? Probably not. Is it useful? It depends on what you do or how you use it.

I have LinkedIn because you have no choice when working in IT. If they can't find you on LinkedIn, you won't even be invited for a job interview.

It is also the only place where I use my real full name publically :p