James Delahunty
1 Apr 2014 18:03
LinkedIn has responded to reports about a browser plug-in that claimed to be able to hack e-mail addresses of any users.
The Sell Hack browser plug-in can be installed in Chrome, Safari or Firefox, and it adds a "Hack In" button to every LinkedIn profile that you visit. It claims that with just a click of this button, it can dump the e-mail address information associated with the profile.
Early reports suggested that the tool somehow compromises LinkedIn's system to dump the e-mail addresses. However, at closer look, the plug-in clearly does not work for every profile that you try, whereas it appears to work for profiles of well known individuals.
That led quickly to more skeptical-types assuming that the plug-in is using some other means to find information available elsewhere about a particular user.
According to LinkedIn's senior manager of corporate communications, Krista Canfield, no LinkedIn data has been compromised by the plug-in, and the e-mail addresses that are revealed are not done so through any breach, bug or vulnerability with the site.
LinkedIn warns users on the risks of the plug-in
On Monday, Canfield confirmed that the service had sent a cease and desist letter to address "several violations," and she warned against users installing the plugin.
"We advise LinkedIn members to protect themselves and to use caution before downloading any third-party extension or app," Canfield told Yahoo Tech, reports Alyssa Bereznak. "Often times, as with the SellHack case, extensions can upload your private LinkedIn information without your explicit consent."
That seems like reasonable advice for more than just this particular plug-in.
Sell Hack defends itself
The individuals behind Sell Hack describe themselves as "dads from the midwest", and object to being described as sneaky, nefarious, no good, or not "legitimate". They confirmed the cease and desist letter sent from LinkedIn, and that Sell Hack no longer works with LinkedIn.
"We only processed publicly visible data from LinkedIn based on your profile permissions...all of which has been deleted."
At the same time, it has been a mixed bag for them as they have had more signups today than the first 60 days of availability combined, and that they are working on a better product that complies with LinkedIn's terms of service.
Sources & Recommended Material:
Original report from Yahoo Tech: https://www.yahoo.com/tech/...
Response from Sell Hack: http://blog.sellhack.com/
Analysis by security analyst Graham Cluley: http://grahamcluley.com/2014/04/sellhack-linkedin/