I have a suspicion this app is harvesting all your LinkedIn contacts, uploading them to the app.sellhack.com server, and then as a "reward" for you giving up all that info, you can pull other contacts back out of sellhack.com.
Yup, that's exactly what it's doing. It's grabbing mailto's, email addresses, twitter handles, etc off pages you see -- from you & your connections -- and sending them back to its server.
Looks like all this is doing is trying every combo of first name, last name, initials, etc @ company's website the person was employed by.
Nothing new here that's actually hacking in though, just checking the combos for a positive return form rapportive (or really could just be pinging the email servers).
With that said it is in a nice and "consumer" friendly system, but even if this gets shut down you can do it manually very easily and always have been able to.
They could easily be testing many of the gmail + yahoo + other popular accounts as well, doing google searches in the background for "name@gmail.com AND company" to see if the person appears or maybe it really is more than what I thought.
I just thought this way originally because it showed "26 results" for a friend I looked up that I'm not connected to before it gave me the 1 final result that was his email. The 26 results as it was loading showed everything from first@company.com (not active), firstlast@company.com (not active), firstLetterlastName@company.com (not active), etc.
EDIT: So based on it showing so many false positives it looks like it's just queuing up all possibilities than returning whatever it finds works.
What an incredibly irresponsible post by Yahoo Tech. No disclaimer, and it is written as a how-to!
Am I the only one that thinks that the people at Yahoo Tech should know better than to make de-facto recommendations to their users to install such kind of hacks that are as dangerous to users as they are in violating the TOS of the website target?
It's a cluster-fudge alright. The reporter should have, er, reported on what they did and what results they saw.
And it left the really big question open: how does this "app" pull the email address? If it's sitting there in the source of the page somehow, this is just a pretty wrapper around a critical LinkedIn bug. If it's doing something else . . . well, I would be really interested in knowing what else it was doing.
it's easy to know what it is doing, it isn't using any LinkedIn exploits, it's scraping the name, url and company from the LinkedIn page then constantly running every possible combination against Rapportive and checking to see if it gets any returns and then compares the linkedin url of each return to the linkedin url it got from scraping. Rapportive is ironically a LinkedIn owned company so basically he is just dogfooding LinkedIn to exploit them
Identical to something like this but with with a few added steps
So in other words, LinkedIn's "premium account" service suffers from an info disclosure vulnerability that they seem to be either too lazy or inept to fix, and are instead just using their legal team as a meatspace firewall.
I do not believe this is an exploit on LinkedIn's side. They're just pinging to see if various email addresses derived from your name exist. Maybe a few Google's too.
Features that are supposed to be behind a paywall but aren't? That's a vulnerability if you are LinkedIn and want to encourage more users to upgrade to premium.
The same, and my custom email even included 'linkedin' as a substring, so no doubt about it. Also I was seeing web crawler bots hitting URLs that were hidden behind a "contacts only" privacy limit.
I would assume the leak is with the connections you've given permission to view that address -- not with LinkedIn itself. I'm sure this isn't the first extension/toolbar/malware that scrapes your connections' pages.
I have just tried this with new email and linkedin account with the intention to see my own linkedin mail. At least it does not work with the last firefox and linux mint here
It's not really a big deal. I mean, if you have a LinkedIn account, you likely get a bit of spam already.
And, if someone really wanted to get in contact with you, they can. (Phone directories still exist.) And, of course, just send them an invite. Most accept.
I wouldn't trust a browser plugin like this though.
Any piece of data that's out there, currently private or not, will ultimately become available to anyone as long as they can find it. This is a tool which speeds up that process.
Can't wait for the Facebook version of this plugin.
I was rather surprised when LinkedIn synced all of my LinkedIn contacts' email addresses into my address book via the Android app. Not as bad as this, but strange default behaviour.
This tool sucks, I tried it when it was posted on a previous YC thread. I tried it on a few accounts where I'm directly connected with someone & it gave me bogus addresses.
nah I wasn't connected to the people, the server is probably getting bombarded now since a whole bunch of news outlets are starting to cover it and that is causing a lot of errors but this was actually released like a week or two ago and works great
If so, this is basically a Chrome virus.