[Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

Rod-Lists
 From /. :
cold fjord writes with this Business Week report:
"LinkedIn Corp. ... was sued by customers who claim the company  
appropriated their identities for marketing purposes by hacking into their  
external e-mail accounts and downloading contacts' addresses. The  
customers, who aim to lead a group suit against LinkedIn, asked a federal  
judge in San Jose, California, to bar the company from repeating the  
alleged violations and to force it to return any revenue stemming from its  
use of their identities to promote the site ... 'LinkedIn's own website  
contains hundreds of complaints regarding this practice,' they said in the  
complaint filed Sept. 17. ... LinkedIn required the members to provide an  
external e-mail address as their username on its site, then used the  
information to access their external e-mail accounts when they were left  
open ... 'LinkedIn pretends to be that user and downloads the e-mail  
addresses contained anywhere in that account to LinkedIn's servers,' they  
said. 'LinkedIn is able to download these addresses without requesting the  
password for the external e-mail accounts or obtaining users' consent.'"
"This puts an interesting twist on LinkedIn's recent call for  
transparency," adds cold fjord. (More at Bloomberg.)
http://tech.slashdot.org/story/13/09/21/1258235/linkedin-accused-of-hacking-customers-e-mails-to-slurp-up-contacts

--
Using Opera's mail client: http://www.opera.com/mail/
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

William D. Roush
I'm really interested in the HOW here. I know LinkedIn can store your e-mail credentials for this purpose, but that is something you do yourself.

There is some discussion of LinkedIn relying on exploits, that seems like a lot of work for what is a crapshoot in being able to pull contacts, especially when they have a system that even the more technical-savvy on Slashdot were willing to use...

It helps having keypass, there is additional discussion that it's simply UI confusion, and if you use the same password for both systems, you think you're giving your password for LinkedIn (you always log in with your e-mail address), when really it's asking access to your contact list.

> "then used the information to access their external e-mail accounts when they were left open,"

I'd like to know what they mean by that... cross-window, cross-domain exploits? Aren't those nearly impossible on any modern browser?

William Roush


On 9/21/2013 12:42 PM, Rod wrote:
From /. :
cold fjord writes with this Business Week report:
"LinkedIn Corp. ... was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts' addresses. The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site ... 'LinkedIn's own website contains hundreds of complaints regarding this practice,' they said in the complaint filed Sept. 17. ... LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open ... 'LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn's servers,' they said. 'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'"
"This puts an interesting twist on LinkedIn's recent call for transparency," adds cold fjord. (More at Bloomberg.)
http://tech.slashdot.org/story/13/09/21/1258235/linkedin-accused-of-hacking-customers-e-mails-to-slurp-up-contacts



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

Mike Harrison
> I'd like to know what they mean by that... cross-window, cross-domain exploits? Aren't those nearly impossible on any modern browser?

Not impossible, but I'm waiting for a better explaination of what really
happened. LinkedIn and other social media sites are often confusing to
some people, and they click [yes] and enter passwords without thought.

It might be as simple as morons that use the same password for email as
things like LinkedIn, Facebook..
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

William D. Roush
I'll bite, how DO you gain control of a window you didn't spawn in
javascript on a modern browser?

I could see it being done with other technologies (ex: java applets?) or
other exploits (XSS/CSRF), but I'd figure those would seem to be a lot
easier to detect and we'd have evidence before this even came out.

William Roush

On 9/21/2013 2:03 PM, Mike Harrison wrote:

>> I'd like to know what they mean by that... cross-window, cross-domain
>> exploits? Aren't those nearly impossible on any modern browser?
>
> Not impossible, but I'm waiting for a better explaination of what
> really happened. LinkedIn and other social media sites are often
> confusing to some people, and they click [yes] and enter passwords
> without thought.
>
> It might be as simple as morons that use the same password for email as
> things like LinkedIn, Facebook..
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

Mike Harrison
In reply to this post by Rod-Lists
Demo under construction....


From my Android phone on T-Mobile. The first nationwide 4G network.



-------- Original message --------
From: William Roush <[hidden email]>
Date: 09/21/2013 2:30 PM (GMT-05:00)
To: Chattanooga Unix Gnu Android Linux Users Group <[hidden email]>
Subject: Re: [Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts


I'll bite, how DO you gain control of a window you didn't spawn in
javascript on a modern browser?

I could see it being done with other technologies (ex: java applets?) or
other exploits (XSS/CSRF), but I'd figure those would seem to be a lot
easier to detect and we'd have evidence before this even came out.

William Roush

On 9/21/2013 2:03 PM, Mike Harrison wrote:

>> I'd like to know what they mean by that... cross-window, cross-domain
>> exploits? Aren't those nearly impossible on any modern browser?
>
> Not impossible, but I'm waiting for a better explaination of what
> really happened. LinkedIn and other social media sites are often
> confusing to some people, and they click [yes] and enter passwords
> without thought.
>
> It might be as simple as morons that use the same password for email as
> things like LinkedIn, Facebook..
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

James Nylen
In reply to this post by William D. Roush
The easiest way I know of is to convince the owner of a domain to load a script you control.  Once you do that, technically all bets are off and you can capture any interaction with that domain.

How many pages do you visit that have those Facebook like / Tweet / Google +1 buttons on them?  Yeah... I think those scripts are worth blocking.


On Sat, Sep 21, 2013 at 2:30 PM, William Roush <[hidden email]> wrote:
I'll bite, how DO you gain control of a window you didn't spawn in javascript on a modern browser?

I could see it being done with other technologies (ex: java applets?) or other exploits (XSS/CSRF), but I'd figure those would seem to be a lot easier to detect and we'd have evidence before this even came out.

William Roush


On 9/21/2013 2:03 PM, Mike Harrison wrote:
I'd like to know what they mean by that... cross-window, cross-domain exploits? Aren't those nearly impossible on any modern browser?

Not impossible, but I'm waiting for a better explaination of what really happened. LinkedIn and other social media sites are often confusing to some people, and they click [yes] and enter passwords without thought.

It might be as simple as morons that use the same password for email as
things like LinkedIn, Facebook..
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

William D. Roush
>The easiest way I know of is to convince the owner of a domain to load a script you control.

Yeah that is pretty much the easiest way, is there a LinkedIn integration out there that webmail clients are using? Ick...

> How many pages do you visit that have those Facebook like / Tweet / Google +1 buttons on them?

We also have miles of logs of people accessing said sites via their client-side APIs because of it, so they stick out like a sore thumb. My biggest gripe is that even with the Engineer from LinkedIn there is just hand-waving and paranoia. I'm used to the network security guys dumping proof online when accusations like this are made in that realm.

It seems 99% of "it must be happening" is the paranoia that their relationships with people are more interconnected than they think they are, and that computer algorithms can figure them out.

William Roush
On 9/22/2013 3:50 PM, James Nylen wrote:
The easiest way I know of is to convince the owner of a domain to load a script you control.  Once you do that, technically all bets are off and you can capture any interaction with that domain.

How many pages do you visit that have those Facebook like / Tweet / Google +1 buttons on them?  Yeah... I think those scripts are worth blocking.


On Sat, Sep 21, 2013 at 2:30 PM, William Roush <[hidden email]> wrote:
I'll bite, how DO you gain control of a window you didn't spawn in javascript on a modern browser?

I could see it being done with other technologies (ex: java applets?) or other exploits (XSS/CSRF), but I'd figure those would seem to be a lot easier to detect and we'd have evidence before this even came out.

William Roush


On 9/21/2013 2:03 PM, Mike Harrison wrote:
I'd like to know what they mean by that... cross-window, cross-domain exploits? Aren't those nearly impossible on any modern browser?

Not impossible, but I'm waiting for a better explaination of what really happened. LinkedIn and other social media sites are often confusing to some people, and they click [yes] and enter passwords without thought.

It might be as simple as morons that use the same password for email as
things like LinkedIn, Facebook..
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

James Nylen
Doesn't have to be webmail integration.  Theoretically the source could be any site that has articles with a LinkedIn share button (or comments system) and a "Click here to log in to the forums with your email address and password" button.

Since 90+% of people will have the same (easy) passwords for multiple services, and the LinkedIn script would be able to slurp up the form submissions on the site, that's the ballgame.

I sort of doubt this is happening though - I would think it would be a pretty big scandal if something like that were to come out.


On Sun, Sep 22, 2013 at 7:31 PM, William Roush <[hidden email]> wrote:
>The easiest way I know of is to convince the owner of a domain to load a script you control.

Yeah that is pretty much the easiest way, is there a LinkedIn integration out there that webmail clients are using? Ick...


> How many pages do you visit that have those Facebook like / Tweet / Google +1 buttons on them?

We also have miles of logs of people accessing said sites via their client-side APIs because of it, so they stick out like a sore thumb. My biggest gripe is that even with the Engineer from LinkedIn there is just hand-waving and paranoia. I'm used to the network security guys dumping proof online when accusations like this are made in that realm.

It seems 99% of "it must be happening" is the paranoia that their relationships with people are more interconnected than they think they are, and that computer algorithms can figure them out.

William Roush
On 9/22/2013 3:50 PM, James Nylen wrote:
The easiest way I know of is to convince the owner of a domain to load a script you control.  Once you do that, technically all bets are off and you can capture any interaction with that domain.

How many pages do you visit that have those Facebook like / Tweet / Google +1 buttons on them?  Yeah... I think those scripts are worth blocking.


On Sat, Sep 21, 2013 at 2:30 PM, William Roush <[hidden email]> wrote:
I'll bite, how DO you gain control of a window you didn't spawn in javascript on a modern browser?

I could see it being done with other technologies (ex: java applets?) or other exploits (XSS/CSRF), but I'd figure those would seem to be a lot easier to detect and we'd have evidence before this even came out.

William Roush


On 9/21/2013 2:03 PM, Mike Harrison wrote:
I'd like to know what they mean by that... cross-window, cross-domain exploits? Aren't those nearly impossible on any modern browser?

Not impossible, but I'm waiting for a better explaination of what really happened. LinkedIn and other social media sites are often confusing to some people, and they click [yes] and enter passwords without thought.

It might be as simple as morons that use the same password for email as
things like LinkedIn, Facebook..
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] this ain't kosher:LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

William D. Roush
Yeah I did entertain that idea earlier in the thread, if they are doing
something fishy, I suspect that is it. You'll probably get in 99% of the
time.

William Roush

On 9/24/2013 4:30 PM, James Nylen wrote:
> Since 90+% of people will have the same (easy) passwords for multiple
> services, and the LinkedIn script would be able to slurp up the form
> submissions on the site, that's the ballgame.

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug