15
Sep 14

LinkedIn Feature Exposes Email Addresses

One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing.

leakedinlogoLinkedIn has built much of its considerable worth on the age-old maxim that “it’s all about who you know.” As a LinkedIn user, you can directly connect with those you attest to knowing professionally or personally, but also you can ask to be introduced to someone you’d like to meet by sending a request through someone who bridges your separate social networks. Celebrities, executives or any other LinkedIn users who wish to avoid unsolicited contact requests may do so by selecting an option that forces the requesting party to supply the personal email address of the intended recipient.

LinkedIn’s entire social fabric begins to unravel if any user can directly connect to any other user, regardless of whether or how their social or professional circles overlap. Unfortunately for LinkedIn (and its users who wish to have their email addresses kept private), this is the exact risk introduced by the company’s built-in efforts to expand the social network’s user base.

According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users.

LinkedIn assumes that if an email address is in your contacts list, that you must already know this person. But what if your entire reason for signing up with LinkedIn is to discover the private email addresses of famous people? All you’d need to do is populate your email account’s contacts list with hundreds of permutations of famous peoples’ names — including combinations of last names, first names and initials — in front of @gmail.com, @yahoo.com, @hotmail.com, etc. With any luck and some imagination, you may well be on your way to an A-list LinkedIn friends list (or a fantastic set of addresses for spear-phishing, stalking, etc.).

LinkedIn lets you know which of your contacts aren't members.

LinkedIn lets you know which of your contacts aren’t members.

When you import your list of contacts from a third-party service or from a stand-alone file, LinkedIn will show you any profiles that match addresses in your contacts list. More significantly, LinkedIn helpfully tells you which email addresses in your contacts lists are not LinkedIn users.

It’s that last step that’s key to finding the email address of the targeted user to whom LinkedIn has just sent a connection request on your behalf. The service doesn’t explicitly tell you that person’s email address, but by comparing your email account’s contact list to the list of addresses that LinkedIn says don’t belong to any users, you can quickly figure out which address(es) on the contacts list correspond to the user(s) you’re trying to find.

Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information. Last month, the two researchers detailed how they were able to de-anonymize posts to Secret, an app-driven online service that allows people to share messages anonymously within their circle of friends, friends of friends, and publicly. In February, Seely more famously demonstrated how to use Google Maps to intercept FBI and Secret Service phone calls.

This time around, the researchers picked on Dallas Mavericks owner Mark Cuban to prove their point with LinkedIn. Using their low-tech hack, the duo was able to locate the Webmail address Cuban had used to sign up for LinkedIn. Seely said they found success in locating the email addresses of other celebrities using the same method about nine times out ten.

“We created several hundred possible addresses for Cuban in a few seconds, using a Microsoft Excel macro,” Seely said. “It’s just a brute-force guessing game, but 90 percent of people are going to use an email address that includes components of their real name.”

The Rhino guys really wanted Cuban’s help in spreading the word about what they’d found, but instead of messaging Cuban directly, Seely pursued a more subtle approach: He knew Cuban’s latest start-up was Cyber Dust, a chat messenger app designed to keep your messages private. So, Seely fired off a tweet complaining that “Facebook Messenger crosses all privacy lines,” and that as  result he was switching to Cyber Dust.

When Mark Cuban retweeted Seely’s endorsement of Cyber Dust, Seely reached out to Cyberdust CEO Ryan Ozonian, letting him know that he’d discovered Cuban’s email address on LinkedIn. In short order, Cuban was asking Rhino to test the security of Cyber Dust.

“Fortunately no major faults were found and those he found are already fixed in the coming update,” Cuban said in an email exchange with KrebsOnSecurity. “I like working with them. They look to help rather than exploit.. We have learned from them and I think their experience will be valuable to other app publishers and networks as well.”

Cory Scott, director of information security at LinkedIn, said very few of the company’s members opt-in to the requirement that all new potential contacts supply the invitee’s email address before sending an invitation to connect. He added that email address-to-user mapping is a fairly common design pattern, and that is is not particularly unique to LinkedIn, and that nothing the company does will prevent people from blasting emails to lists of addresses that might belong to a targeted user, hoping that one of them will hit home.

“Email address permutators, of which there are many of them on the ‘Net, have existed much longer than LinkedIn, and you can blast an email to all of them, knowing that most likely one of those will hit your target,” Scott said. “This is kind of one of those challenges that all social media companies face in trying to prevent the abuse of [site] functionality. We have rate limiting, scoring and abuse detection mechanisms to prevent frequent abusers of this service, and to make sure that people can’t validate spam lists.”

In an email sent to this reporter last week, LinkedIn said it was planning at least two changes to the way its service handles user email addresses.

“We are in the process of implementing two short-term changes and one longer term change to give our members more control over this feature,” Linkedin spokeswoman Nicole Leverich wrote in an emailed statement. “In the next few weeks, we are introducing new logic models designed to prevent hackers from abusing this feature. In addition, we are making it possible for members to ask us to opt out of being discoverable through this feature. In the longer term, we are looking into creating an opt-out box that members can choose to select to not be discoverable using this feature.”

Tags: , , , , , , , , , , , ,

40 comments

  1. There’s a catch to this: If your name is say, ‘Bob Jones’, and you sign up with an email address of bobjones(at)hotmail.com, then yeah, they’ll grab you pretty quick. But if your mail address was something completely unrelated like, fuzzyalleycat@hotmail.com, then they aren’t going to grab you. Or rather, they aren’t going to grab you specifically. They cannot proactively make that leap between you and the email address. If were to start putting together dictionary-cracking type address books, and just trying to sweep up everyone, then they might end up with your address by accident, but still hardly a targeted attack at that point.

    • While true, if you’re attempting to line up work or a new job using LinkedIn, you’ll quickly discover that “creative” email addresses are frowned upon by some employers. You can either use a variety of your first and last names or use some unbelievably inoffensive name. Recruiters, by and large, insisted upon the former.

      That being said, most recruiters I worked with while between jobs actually harmed my ability to find new employment (the resumes they demanded I modify mine into had one thing in common, namely universal hatred from potential employers), so while I wouldn’t want to put much stock in their opinions… more often than not they’re still the &*(@#&*$ who are employed as gatekeepers for many potential employers.

      • The email address you use to sign in to LinkedIn isn’t (necessarily) the same as the one that is on your resume or CV.

        But I’m an idealistic dreamer, and hope that prospective employers evaluate me on a little more than just my email address, anyway.

        • My email address has never gotten hatred from employers and it has nothing to do with my name. One time we actually connected pretty well because my boss knew the con Doin family that its taken from. You can also google me and see me using that address since ages ago in various news groups, lkml etc. Its not the fluffy bunny1976 type though where I’d understand some resentment actually.

    • Thanks Eric. Now I’m getting spammed to death…..

  2. Brian, when do you think someone will take the list of @gmail.com addresses that were published last week, add them to their contact list, and let LinkedIn peruse that list? Also, do you think that would cause a buffer-overlow at LinkedIn?

  3. Hay Caudill, I’m going to buy your next door neighbors home and open a cattle feed lot. I’ll troll you Dallas style punk

    You know how to reach me.

    -all my best
    MC

  4. I got suckered into joining LinkedIn way back when–I quickly became sorry I did–it’s useful for nothing. Anyone who is truly a connection of mine I communicate “privately” (if there is such a thing anymore) with them. Worse yet, they assume that I want to connect with everybody in the world who is in my area of expertise. I’ve had to go in and reset my privacy settings at least twice. Their ads and the requests for connections with people I don’t know (ie., headhunters) are obnoxious. Useless service, and just adding to the general noise to signal ratio.

    • One problem is they have to secure it against automated attacks and those are always changing. It’s useful for testing.

      “When testing a target we would like to test it from all perspectives and try to gather information from all possible means. “

  5. Brian I know that this is off topic but can you give an ETA for your review/appraisal of EMET 5??

    Thank you and take care

  6. Heh! Heh! Nothing like shooting the messenger to make one feel better, eh Mark? 😉

  7. I have an unresolved / outstanding security complaint to LinkedIn regarding the platform associating me with email addresses is has not legitimate access.

    Very similar to this article. LI is a bunch of horrible people and the data they have and use is a serious problem. Contact me via email if you would like access to data.

  8. I don’t use social media any more. How can I close a LinkedIn account?
    I closed my Facebook account. But it was difficult. I gave up on LinkedIn. Could not close it.

  9. TheOreganoRouter.onion.it

    This would explain and verify why on occasion, I get spam through LinkedIn. I might add to this article that LinkedIn’s customer service dealing with these kinds of problems is horrendously bad

  10. I’ve been a LinkedIn member for a long time and get significant business out of it. However, my experience with their support has been mostly dismal.
    It’s very difficult if not impossible to get their attention. If you’re lucky enough to do it don’t hold your breath expecting any positive outcomes.

  11. Years ago, Facebook had a similar security/privacy issue. They let you search for people using their phone number and also let you search using partial phone numbers. This was designed to find people who weren’t your friend yet, so it would match despite any privacy settings. So, you just start plugging in an area code an popular first few digits and browse the results. Didn’t find anything of interest? Just try some different starting digits until you did.

    I reported this issue to them years ago when I discovered it and it was subsequently fixed (IIRC, to only work for a full match) and these days there is no search by phone number feature.

  12. “By now, I am sure; you would have got an idea as to how dangerous a tool Google can be. The usernames and passwords got from here can be used to strengthen our dictionary attacks by adding these used passwords to the list we already have. This can also be used in user profiling which seems to be in demand in the underground market. The above queries where just simple dorks which gave out sensitive information.

    When testing a target we would like to test it from all perspectives and try to gather information from all possible means. In this section, we shall see how Google can be used to troll email addresses across the internet. This gives spammers a huge list of emails that they need in succeeding their goals. In 0.21 seconds Google time, I was able to get a excel sheet with 1000 email ids.” http://resources.infosecinstitute.com/google-hacking-for-fun-and-profit-i/

  13. I usually stay away from psychosocial media, LinkedIn is the epitome of this type of forum for bizwhack headhunters, and when they’re not looking for your head, they’re cold calling you to sell you some solar panels or setup an appointment to come and do some unneeded work on your house.

    • “In order to change an existing paradigm you do not struggle to try and change the problematic model.

      You create a new model and make the old one obsolete.

      That, in essence, is the higher service to which we are all being called.”

      ~ Buckminster Fuller ~
      http://p2pfoundation.net/Main_Page

      More features are nice. They don’t mean more security though.

  14. LinkedIn allows other group members to contact you without knowing your email address as long as you both belong to the same group.

  15. “Thirty-odd years ago I began to counsel that you should build organized abandonment into your system. It follows the old line that it makes more sense for you to make obsolete your own products than to wait for the competitor to do it. But this is very hard for organizations to do. The internal resistance is great. They have to be forced. Remember the Edsel? After eighteen months the Ford Motor Company announced that it was abandoning the Edsel. I think we all roared with laughter. We had already abandoned the Edsel. The Ford Motor Company just took a hell of a long time to accept it.”
    http://archive.wired.com/wired/archive/1.03/drucker.html?pg=3&topic=
    The users could start to abandon it! What is the Google option?

  16. This is really bad, and I appreciate the Rihno security works and Cubans’s work (y)

  17. This kind of damaging feature was also available in Facebook 2 years ago when I needed to extract email addresses.Not confirm about Facebook now, Social networking websites have to fix this…. Privacy is everything over internet.

  18. TheOreganoRouter.onion.it

    After reading this article, I am now reporting LinkedIn to their Internet Provider for spam abuse. Clearly the people who work for LinkedIn don’t understand what the phrase “Cease and Desist” means.

  19. Should their new name be LeakedOut?

  20. If you don’t like Linkedin you don’t have to use it, just like gmail. No one is forcing it on you.

    I use it quite a bit for back grounding people and connecting to people with similar interests after a conference or other event.

    No one makes us use our connections in the business world but if you have none then you may find it hard to have a successful life. I suppose one can toil away off in some remote part of the planet and never speak to another human but I am sure it would not be my choice for a fulfilling life.

    We all take risks with our information everyday, it’s just a choice, not the end of life.

    • Those with actual connections in the business world are not using them on LinkedIn or Facebook.

      The wannabes use it, primarily to be seen using it as an attempt to increase their credibility.

      Social media is for the plebeians to use, to provide information the masters can use to better control and manage them.

      • Nice attempt at trolling. However your skills lack the needed insight to be gained from the normal tinfoil hat wearing fox news reading crowd. Had you been more vile and pointed in your thrust or provided a parry of enlightenment it would have found a truer mark, yet to make such an elitist and yet somehow hopelessly out of touch with the modern business world point of view it seems that you may have missed all of the boats that have floated since 1975. Good luck with the old boys network, do you guys still meet in the restroom to discuss your plans to take over the world?

  21. The article very clearly illustrates both Rhino Security and Cory Scott are basically clueless when it comes to knowing much about how the LinkedIn website actually works.

    The first thing both Rhino Security and Cory Scott fail to recognize is each LinkedIn member is limited to only 3,000 invitations, which means running through an exhaustive list of email permutations for a bunch of so-called celebrities would very rapidly deplete any member’s available invitations.

    Second, the major flaw of the whole opening an email address book to LinkedIn for the purpose of sending out invitations is the email address book is opened with every entry selected rather than no entries selected. The member is instructed to “select” entries they wish to send an invitation, but the member inadvertently assumes they must click an entry to make the selection when, in fact, clicking an entry removes the entry as being “selected”. The end result is a member winds up sending invitations to every entry except those they really wanted to receive an invitation.

    So long as the genii at LinkedIn remain so clueless regarding how the LinkedIn website works every LinkedIn member must be exceedingly cautious about everything they do on the website and never “assume” they know what is about to happen when they click.

    • Good Points Charles.
      I let LinkedIn send invites to my gmail only once and even tho they say they don’t keep passwords every time someone from my address book joins they let me know to connect so somewhere they have a very old list of my contacts.

  22. If your address book includes emails collected with a privacy policy of non-disclosure, eg many voluntary organisation and clubs, giving LI access would be disclosure, almost certainly illegal at least in the UK. It should be possible for those who have sinned to have the option of having LI delete the addresses. And the implications need to be made clear at the point you are asked to reveal a password. I know plenty of sinners…

  23. LinkedIn needs new management.

    Through their phone apps, they collected address books of my friends, and spammed me.

    The offensive part is that they spoofed the emails, so the email looks like it came from my friend John Doe from his email address johndoe@xyz.com.

    Looking at the full email headers, the emails came directly from LinkedIn but they spooffed the sender, faking that it came from my johndoe@xyz.com

    That’s fraud from a publicly owned company.
    Shameful
    SEC violation?