LinkedIn Hacks Your Email (and a lockpicking ape)

So, here’s something I don’t entirely understand. How does signing up for LinkedIn allow them to slurp down all your contacts from that email address?

The article implies it’s some kind of weird pseudo-XSS-y thing, where they neither have to get your consent nor ask your email password.

Sadly the only clues to the technical underpinnings are a phrase from a LinkedIn engineer’s profile, “devising hack schemes to make lots of $$$ with Java, Groovy and cunning at Team Money!”

Lockpicking ape: Uses a neat trick – hiding tools in his mouth. Wouldn’t be hard to shape some of those stainless Bogotas to do this. http://content.time.com/time/magazine/article/0,9171,30198,00.html

http://www.businessweek.com/news/2013-09-20/linkedin-customers-say-company-hacked-their-e-mail-address-books

“LinkedIn Corp. (LNKD:US), owner of the world’s most popular professional-networking website, was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts’ addresses.

The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site to non-members, according to a court filing.

“LinkedIn’s own website contains hundreds of complaints regarding this practice,” they said in the complaint filed Sept. 17, which also seeks unspecified damages. […]

LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open, according to the complaint.

“LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn’s servers,” they said. “LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users’ consent.

LinkedIn software engineer Brian Guan described his role on the company’s website as “devising hack schemes to make lots of $$$ with Java, Groovy and cunning at Team Money!” according to the complaint. Java is a programming language and computing platform released by Sun Microsystems in 1995. Groovy is a another language for the Java platform.

The plaintiffs, who are seeking a jury trial, provided a link to the engineer’s post, http://www.linkedin.com/in/brianguan, which they said they last visited Sept. 13.

[…]

Jeffrey Barr of Livingston, New Jersey, said in an e-mail that he estimated LinkedIn used as many as 200 names and e-mail addresses of his contacts, inviting them to connect with him on the site.

“Some of the people I hadn’t talked to in five to 10 years, including several old girlfriends I had forgotten to delete,” he said.

LinkedIn told him he hadn’t unchecked a default setting allowing it to use the e-mails, he said.

According the complaint, it was part of LinkedIn’s growth initiative also to send multiple e-mails endorsing its products, services, and brand to potential new users, following up with additional messages to people who didn’t sign on.

The existing users have no way to stop the process, the plaintiffs said. “

Advertisements
%d bloggers like this: