See LinkedIn Dark Patterns [0]. It explains how LinkedIn tricks one into sharing contacts.
There we have it, finally signed up and signed in to
LinkedIn. The next part of the new user experience is filling
out your profile. Depending on how you count, LinkedIn tries to
import the user’s address book three to eight times. It
shouldn’t be this hard to sign up for a product without giving
away any unnecessary information.
Listen - I'm not above accusing LinkedIn of horrible things, but here we are basically taking the word of a call center rep over what we (should) know to be technical limitations of the platform in question.
One of 3 things seems to be possible here:
1) The rep is right and gmail has an XSS vulnerability that LinkedIn is using
2) LinkedIn and Google are in bed and sharing this information based on some fingerprint-foo
3) This guy or his other contacts somehow at some point succumbed to LinkedIn trickery and gave access to his gmail account.
Don't know about you, but #3 seems most likely to me...
It seems to me that you're trying to turn the tables on the subject and pretend that linkedin's contact list abuse is, somehow or for any reason, instead an issue regarding a "cal center rep", which no one likes.
How about focusing on the problem instead of pulling a bait-and-switch?
The fact is linkedin tries incessantly to import contact lists from their users, sometimes in the clear and sometimes through shady dark-patterns.
Everyone who ever used linkedin is well aware of that.
Other social network services also abuse that angle, like facebook.
So, why exactly are you trying to pull the proverbial wool over everyone's eyes by trying to make believe that this issue is about an ill-reputed "call center rep" instead of the clamorous privacy abuse that social network services try to force on their users repeatedly?
I'm trying to focus on he content of the article and not the hundreds of other blog posts about scummy LI behavior. The linked post has nothing to do with dark patterns, which are crappy and LI is clearly guilty of.
I'm not sure what exactly you feel I'm trying to lie about here - my post stated I think that LI conned this guy out of his contacts instead of utilizing some heretofore unknown technology to steal them from a separate browser window.
> I'm trying to focus on he content of the article
If you actually had any intention on focusing on the content, you wouldn't had tried to turn the tables with a blatant ad-hominem while turning a blind eye to the issue.
If you know about browser security, you know that was is being described is just not possible. Likely that the author had authorized some google importer or something, but simply visiting 2 different websites in 2 tabs would not allow this. Just imagine the insanity if it was possible for another site to read from another tab.
I want to agree with you but I've seen a similar situation with Yahoo mail for someone else, and I confirmed first-hand they had not imported their contacts. So I don't even know what to believe anymore. It makes no sense for this to be possible, but neither does the story everyone is recounting.
I've seen this happen too. I'm actually under the impression that LinkedIn will log in to your email account if they can. They keep asking me to "confirm" an email address by giving them the password. Sorry, not gonna happen. I believe (without hard proof) that if Alice send Bob an email talking about Cindy, all three will be suggested as people they may know even if none of them have explicitly indicated such to LikedIn. Facebook apparently does some similar things, but LinkedIn is creepy in this regard. And remember, it could be that they didn't rifle through your email, but someone whose contacts include you. Oh, and I'm sure their "app" requires access to your phone contacts for the same reasons.
I'm actually under the impression that LinkedIn will log in to your email account if they can.
That seems the most likely scenario to me to explain the article. Maybe they try to log-in with your email and linkedin password on the chance that you used the same password for both services?
Then again, on gmail, this should trigger a "login on new device" warning and shouldn't be possible at all if two-factor-auth is active.
In previous stories[0] it turned out that LinkedIn was siphoning information via their mobile app. For example, if you're on Android and install LinkedIn you're granting the complete set of permissions the app requires plus automatically granting any new permissions the updated app specifies:
This app has access to:
Identity
-find accounts on the device
-add or remove accounts
Calendar
-read calendar events plus confidential information
Contacts
-find accounts on the device
-read your contacts
-modify your contacts
Location
-precise location (GPS and network-based)
Photos/Media/Files
-read the contents of your USB storage
-modify or delete the contents of your USB storage
Storage
-read the contents of your USB storage
-modify or delete the contents of your USB storage
Other
-read sync statistics
-receive data from Internet
-view network connections
-create accounts and set passwords
-full network access
-read sync settings
-control vibration
-prevent device from sleeping
-toggle sync on and off
Updates to LinkedIn may automatically add
additional capabilities within each group.
How people can willingly grant device pwnership to apps like this are beyond me.
This is hilarious - relevant snippet from support conversation from article:
"if you had at any time your LinkedIn account open and accessed any of your emails through the same browser…In order from preventing this from happening again, you will want to be careful to not open up your personal email address in the same browser when you have your LinkedIn account open.’"
If this is true, then any website could use this same method to access Gmail contacts if you happen to have Gmail open in the same browser session.
Seems unlikely that it really works this way, it would be a huge security hole - spammers and scammers would be using this all the time to harvest addresses.
I'm also skeptical but believe it isn't coincidental that when I signed up, it recommended some people from my Gmail account. I had my country and city set as Beijing, China. The only other recommendations were from people in that area, I didn't know, because I'm really in the U.S.
But seriously though, why does LinkedIn refuse to learn time and time again? There's a line between being aggressive and being outright dishonest and the line isn't all that hard to determine. Uber is often aggressive but rarely are they dishonest in their practices (at least not egregiously from what I know). But at this point LinkedIn is the leader in practices like this and it's not all that clear to me that it's a great long term strategy.
I assumed this was happening through their acquisition of Rapportive and all the authorized Gmail plugins that came with that. But this... this is sneaky.
Can someone explain how the hell this is even possible? Surely a random website can't read any other random website's session data? Is Google cooperating somehow?
Regardless of the technical feasibility of this particular method, I think it is wise to simply abandon LinkedIn. They have proven to be a company I don't want to be associated with. When people ask me for my LinkedIn, I tell them I don't have one and quickly summarize some confirmed cases of things like this.
I vouch for this claim that LinkedIn/Facebook seem to give recommendations to add someone as friend even when there is no chance that they could figure it out using data they have. I don't understand why browsers can't sandbox each tab such that there is no way to share cookies or cache. This is a serious breach of privacy if they are reading friend relationships based on your gmail open in other tabs.
There is also another option. Suppose, for a moment, that I've sent my friend an email and he/she has allowed LinkedIn access to their Google Contacts, even though I have not...there is no reason LinkedIn wouldn't still show me them as a contact to add, since they know the connection. They just know it from the other side.
Except LinkedIn very explicitly said that doesn't have to be the case, and the article shows examples of LinkedIn suggesting that the author invites non-users from his Gmail contacts to LinkedIn.
I knew they were doing this based on recent connection suggestions but couldn't figure out how. This makes me furious and only better shows how slimy of an organization they are.
"We are not doing this to invade your privacy, we are doing this to assist you in growing your network."
Well if they are in my Gmail contacts they are already part of "my network." I can reach out and contact any of these people by simply sending them an email.
I agree sounds more like the contacts were imported through app permissions or something, unless LinkedIn found a real venerability in a common browser or leveraged some CSRF or XSS attach, but seems doubtful given it's Google. It's so easy just to accept the laundry list of permissions for common apps.
I'm doing some email outreach through Hubspot which requires access to my gmail so I set up a separate email so they don't have access to my main account. I don't believe Hubspot will do anything with my offline access token, but it's just one more system that has access, so better to follow the whole principle of least privilege.
As the Product Manager of LinkedIn’s contacts import products, I can confirm that the original explanation was erroneous. The article on thestack.com references a Quora thread that was inaccurate due to misinformation from our representative, which we've corrected. He's also since posted a correction in reply to his answer; see https://www.quora.com/Does-LinkedIn-access-your-email-or-con....
We apologize for any confusion this caused and are working with our reps to ensure we correct any misinformation like this in the future.
We never send invitations without an action from the member. When you add connections you see the following:
-- a description of what occurs when you import your contacts to LinkedIn
-- a page allowing members to unselect contacts from the connection request.
You must go into the address book import page and authenticate the import of your contacts from your email. It does not happen just by being logged into LinkedIn and your email on the same browser.
I posted a story asking about this (kind of) a couple years back [0]. I've seen all sorts of weird link in behavior in terms of people bring recommended to me and people "accepting" invitations I didn't send. At least now I know I'm not entirely crazy.
They have been trying to access Outlook accounts for the same reason for years, by asking for your password in a deceptive way.
But if this is true it's next-level evil indeed, it seems that Gmail has an open XSS vulnerability, and LinkedIn (and Facebook too?) are using it to outright hack into your account.
> At a technical level this kind of cross-site cross-pollination is quite achievable with the technical resources available to the major players concerned – supercookies, canvas fingerprinting, and global cookies acting as cross-site intermediaries all offer the possibility of breaking through a website’s sandbox.
Any idea what they're getting at here? All of them just sound like ways to uniquely identify a user.. so being generous I'll assume LinkedIn can always work out my gmail address even if I use another address to sign up.. what next, they hack my account using one of those?
So how do they technically do this? If there's an open browser window they shouldn't be able to access it. That's an xss exploit. This is not authorization, this is stealing leaked info.
I recall there was a followup to the article that confirmed that he had granted access to his gmail (or someone in his network etc). What the article describes should not be technically possible.
[0] https://medium.com/@danrschlosser/linkedin-dark-patterns-3ae...
[1] https://news.ycombinator.com/item?id=11063178