See LinkedIn Dark Patterns [0]. It explains how LinkedIn <i>tricks</i> one into sharing contacts.<p><pre><code> There we have it, finally signed up and signed in to
LinkedIn. The next part of the new user experience is filling
out your profile. Depending on how you count, LinkedIn tries to
import the user’s address book three to eight times. It
shouldn’t be this hard to sign up for a product without giving
away any unnecessary information.
</code></pre>
Related HN discussion [1].<p>[0] <a href="https://medium.com/@danrschlosser/linkedin-dark-patterns-3ae726fe1462" rel="nofollow">https://medium.com/@danrschlosser/linkedin-dark-patterns-3ae...</a><p>[1] <a href="https://news.ycombinator.com/item?id=11063178" rel="nofollow">https://news.ycombinator.com/item?id=11063178</a>
Listen - I'm not above accusing LinkedIn of horrible things, but here we are basically taking the word of a call center rep over what we (should) know to be technical limitations of the platform in question.<p>One of 3 things seems to be possible here:<p>1) The rep is right and gmail has an XSS vulnerability that LinkedIn is using<p>2) LinkedIn and Google are in bed and sharing this information based on some fingerprint-foo<p>3) This guy or his other contacts somehow at some point succumbed to LinkedIn trickery and gave access to his gmail account.<p>Don't know about you, but #3 seems most likely to me...
If you know about browser security, you know that was is being described is just not possible. Likely that the author had authorized some google importer or something, but simply visiting 2 different websites in 2 tabs would not allow this. Just imagine the insanity if it was possible for another site to read from another tab.
In previous stories[0] it turned out that LinkedIn was siphoning information via their mobile app. For example, if you're on Android and install LinkedIn you're granting the complete set of permissions the app requires plus automatically granting any new permissions the updated app specifies:<p><pre><code> This app has access to:
Identity
-find accounts on the device
-add or remove accounts
Calendar
-read calendar events plus confidential information
Contacts
-find accounts on the device
-read your contacts
-modify your contacts
Location
-precise location (GPS and network-based)
Photos/Media/Files
-read the contents of your USB storage
-modify or delete the contents of your USB storage
Storage
-read the contents of your USB storage
-modify or delete the contents of your USB storage
Other
-read sync statistics
-receive data from Internet
-view network connections
-create accounts and set passwords
-full network access
-read sync settings
-control vibration
-prevent device from sleeping
-toggle sync on and off
Updates to LinkedIn may automatically add
additional capabilities within each group.
</code></pre>
How people can willingly grant device pwnership to apps like this are beyond me.<p>[0] <a href="https://news.ycombinator.com/item?id=12651448" rel="nofollow">https://news.ycombinator.com/item?id=12651448</a>
This is hilarious - relevant snippet from support conversation from article:<p>"if you had at any time your LinkedIn account open and accessed any of your emails through the same browser…In order from preventing this from happening again, you will want to be careful to not open up your personal email address in the same browser when you have your LinkedIn account open.’"
If this is true, then <i>any</i> website could use this same method to access Gmail contacts if you happen to have Gmail open in the same browser session.<p>Seems unlikely that it really works this way, it would be a huge security hole - spammers and scammers would be using this all the time to harvest addresses.
<i>groan</i>...<i>grabs pitchfork</i><p>But seriously though, why does LinkedIn refuse to learn time and time again? There's a line between being aggressive and being outright dishonest and the line isn't all that hard to determine. Uber is often aggressive but rarely are they dishonest in their practices (at least not egregiously from what I know). But at this point LinkedIn is the leader in practices like this and it's not all that clear to me that it's a great long term strategy.
I assumed this was happening through their acquisition of Rapportive and all the authorized Gmail plugins that came with that. But this... this is sneaky.
Can someone explain how the hell this is even possible? Surely a random website can't read any other random website's session data? Is Google cooperating somehow?
Regardless of the technical feasibility of this particular method, I think it is wise to simply abandon LinkedIn. They have proven to be a company I don't want to be associated with. When people ask me for my LinkedIn, I tell them I don't have one and quickly summarize some confirmed cases of things like this.
I vouch for this claim that LinkedIn/Facebook seem to give recommendations to add someone as friend even when there is no chance that they could figure it out using data they have. I don't understand why browsers can't sandbox each tab such that there is no way to share cookies or cache. This is a serious breach of privacy if they are reading friend relationships based on your gmail open in other tabs.
There is also another option. Suppose, for a moment, that I've sent my friend an email and he/she has allowed LinkedIn access to their Google Contacts, even though I have not...there is no reason LinkedIn wouldn't still show me them as a contact to add, since they know the connection. They just know it from the other side.
I knew they were doing this based on recent connection suggestions but couldn't figure out how. This makes me furious and only better shows how slimy of an organization they are.
"We are not doing this to invade your privacy, we are doing this to assist you in growing your network."<p>Well if they are in my Gmail contacts they are already part of "my network." I can reach out and contact any of these people by simply sending them an email.
I agree sounds more like the contacts were imported through app permissions or something, unless LinkedIn found a real venerability in a common browser or leveraged some CSRF or XSS attach, but seems doubtful given it's Google. It's so easy just to accept the laundry list of permissions for common apps.<p>I'm doing some email outreach through Hubspot which requires access to my gmail so I set up a separate email so they don't have access to my main account. I don't believe Hubspot will do anything with my offline access token, but it's just one more system that has access, so better to follow the whole principle of least privilege.
Hey folks,<p>As the Product Manager of LinkedIn’s contacts import products, I can confirm that the original explanation was erroneous. The article on thestack.com references a Quora thread that was inaccurate due to misinformation from our representative, which we've corrected. He's also since posted a correction in reply to his answer; see <a href="https://www.quora.com/Does-LinkedIn-access-your-email-or-contact-list/answer/Forrest-Abouelnasr/comment/19766928" rel="nofollow">https://www.quora.com/Does-LinkedIn-access-your-email-or-con...</a>.<p>We apologize for any confusion this caused and are working with our reps to ensure we correct any misinformation like this in the future.<p>We never send invitations without an action from the member. When you add connections you see the following:<p>-- a description of what occurs when you import your contacts to LinkedIn<p>-- a page allowing members to unselect contacts from the connection request.<p>You must go into the address book import page and authenticate the import of your contacts from your email. It does not happen just by being logged into LinkedIn and your email on the same browser.<p>Moreover, you can view, manage, and delete your imported contacts at any time by going to <a href="https://www.linkedin.com/people/contacts" rel="nofollow">https://www.linkedin.com/people/contacts</a>.<p>Thanks,<p>Barry
I posted a story asking about this (kind of) a couple years back [0]. I've seen all sorts of weird link in behavior in terms of people bring recommended to me and people "accepting" invitations I didn't send. At least now I know I'm not entirely crazy.<p>[0] <a href="https://news.ycombinator.com/item?id=6105715" rel="nofollow">https://news.ycombinator.com/item?id=6105715</a>
> At a technical level this kind of cross-site cross-pollination is quite achievable with the technical resources available to the major players concerned – supercookies, canvas fingerprinting, and global cookies acting as cross-site intermediaries all offer the possibility of breaking through a website’s sandbox.<p>Any idea what they're getting at here? All of them just sound like ways to uniquely identify a user.. so being generous I'll assume LinkedIn can always work out my gmail address even if I use another address to sign up.. what next, they hack my account using one of those?
So how do they technically do this? If there's an open browser window they shouldn't be able to access it. That's an xss exploit. This is not authorization, this is stealing leaked info.