
LinkedIn accesses Gmail contacts via ‘auto-authorization’ - pzb
https://thestack.com/security/2016/10/06/linkedin-accesses-gmail-contacts-via-auto-authorization/
======
0xmohit
See LinkedIn Dark Patterns [0]. It explains how LinkedIn _tricks_ one into
sharing contacts.

    
    
      There we have it, finally signed up and signed in to
      LinkedIn. The next part of the new user experience is filling
      out your profile. Depending on how you count, LinkedIn tries to
      import the user’s address book three to eight times. It
      shouldn’t be this hard to sign up for a product without giving
      away any unnecessary information.
    

Related HN discussion [1].

[0] [https://medium.com/@danrschlosser/linkedin-dark-
patterns-3ae...](https://medium.com/@danrschlosser/linkedin-dark-
patterns-3ae726fe1462)

[1]
[https://news.ycombinator.com/item?id=11063178](https://news.ycombinator.com/item?id=11063178)

------
djrogers
Listen - I'm not above accusing LinkedIn of horrible things, but here we are
basically taking the word of a call center rep over what we (should) know to
be technical limitations of the platform in question.

One of 3 things seems to be possible here:

1) The rep is right and gmail has an XSS vulnerability that LinkedIn is using

2) LinkedIn and Google are in bed and sharing this information based on some
fingerprint-foo

3) This guy or his other contacts somehow at some point succumbed to LinkedIn
trickery and gave access to his gmail account.

Don't know about you, but #3 seems most likely to me...

~~~
geezerjay
It seems to me that you're trying to turn the tables on the subject and
pretend that linkedin's contact list abuse is, somehow or for any reason,
instead an issue regarding a "cal center rep", which no one likes.

How about focusing on the problem instead of pulling a bait-and-switch?

The fact is linkedin tries incessantly to import contact lists from their
users, sometimes in the clear and sometimes through shady dark-patterns.

Everyone who ever used linkedin is well aware of that.

Other social network services also abuse that angle, like facebook.

So, why exactly are you trying to pull the proverbial wool over everyone's
eyes by trying to make believe that this issue is about an ill-reputed "call
center rep" instead of the clamorous privacy abuse that social network
services try to force on their users repeatedly?

~~~
djrogers
I'm trying to focus on he _content of the article_ and not the hundreds of
other blog posts about scummy LI behavior. The linked post has nothing to do
with dark patterns, which are crappy and LI is clearly guilty of.

I'm not sure what exactly you feel I'm trying to lie about here - my post
stated I think that LI conned this guy out of his contacts instead of
utilizing some heretofore unknown technology to steal them from a separate
browser window.

~~~
geezerjay
> I'm trying to focus on he content of the article

If you actually had any intention on focusing on the content, you wouldn't had
tried to turn the tables with a blatant ad-hominem while turning a blind eye
to the issue.

------
DanBlake
If you know about browser security, you know that was is being described is
just not possible. Likely that the author had authorized some google importer
or something, but simply visiting 2 different websites in 2 tabs would not
allow this. Just imagine the insanity if it was possible for another site to
read from another tab.

~~~
phkahler
I've seen this happen too. I'm actually under the impression that LinkedIn
will log in to your email account if they can. They keep asking me to
"confirm" an email address by giving them the password. Sorry, not gonna
happen. I believe (without hard proof) that if Alice send Bob an email talking
about Cindy, all three will be suggested as people they may know even if none
of them have explicitly indicated such to LikedIn. Facebook apparently does
some similar things, but LinkedIn is creepy in this regard. And remember, it
could be that they didn't rifle through your email, but someone whose contacts
include you. Oh, and I'm sure their "app" requires access to your phone
contacts for the same reasons.

~~~
xg15
_I 'm actually under the impression that LinkedIn will log in to your email
account if they can._

That seems the most likely scenario to me to explain the article. Maybe they
try to log-in with your email and linkedin password on the chance that you
used the same password for both services?

Then again, on gmail, this should trigger a "login on new device" warning and
shouldn't be possible at all if two-factor-auth is active.

------
biot
In previous stories[0] it turned out that LinkedIn was siphoning information
via their mobile app. For example, if you're on Android and install LinkedIn
you're granting the complete set of permissions the app requires plus
automatically granting any new permissions the updated app specifies:

    
    
      This app has access to:
    
      Identity
      -find accounts on the device
      -add or remove accounts
    
      Calendar
      -read calendar events plus confidential information
    
      Contacts
      -find accounts on the device
      -read your contacts
      -modify your contacts
    
      Location
      -precise location (GPS and network-based)
    
      Photos/Media/Files
      -read the contents of your USB storage
      -modify or delete the contents of your USB storage
    
      Storage
      -read the contents of your USB storage
      -modify or delete the contents of your USB storage
    
      Other
      -read sync statistics
      -receive data from Internet
      -view network connections
      -create accounts and set passwords
      -full network access
      -read sync settings
      -control vibration
      -prevent device from sleeping
      -toggle sync on and off
    
      Updates to LinkedIn may automatically add 
      additional capabilities within each group. 
    

How people can willingly grant device pwnership to apps like this are beyond
me.

[0]
[https://news.ycombinator.com/item?id=12651448](https://news.ycombinator.com/item?id=12651448)

~~~
gjolund
Most people are dumb and apathetic.

Why does that still surprise you?

------
nwrk
This is hilarious - relevant snippet from support conversation from article:

"if you had at any time your LinkedIn account open and accessed any of your
emails through the same browser…In order from preventing this from happening
again, you will want to be careful to not open up your personal email address
in the same browser when you have your LinkedIn account open.’"

~~~
bdcravens
followed by: "We are not doing this to invade your privacy, we are doing this
to assist you in growing your network."

------
Johnny555
If this is true, then _any_ website could use this same method to access Gmail
contacts if you happen to have Gmail open in the same browser session.

Seems unlikely that it really works this way, it would be a huge security hole
- spammers and scammers would be using this all the time to harvest addresses.

~~~
adventurer
I'm also skeptical but believe it isn't coincidental that when I signed up, it
recommended some people from my Gmail account. I had my country and city set
as Beijing, China. The only other recommendations were from people in that
area, I didn't know, because I'm really in the U.S.

------
askafriend
_groan_... _grabs pitchfork_

But seriously though, why does LinkedIn refuse to learn time and time again?
There's a line between being aggressive and being outright dishonest and the
line isn't all that hard to determine. Uber is often aggressive but rarely are
they dishonest in their practices (at least not egregiously from what I know).
But at this point LinkedIn is the leader in practices like this and it's not
all that clear to me that it's a great long term strategy.

~~~
treve
I don't think there's a lesson to be learned. Their strategy is wildly
successful.

~~~
edoceo
The lesson is for users: be wary, click 'decline'

~~~
TheSpiceIsLife
How can we be sure clicking 'Decline' has the behaviour we would expect?

The lesson is: don't use these services.

------
joshavant
I assumed this was happening through their acquisition of Rapportive and all
the authorized Gmail plugins that came with that. But this... this is sneaky.

------
wfunction
Can someone explain how the hell this is even possible? Surely a random
website can't read any other random website's session data? Is Google
cooperating somehow?

------
eximius
Regardless of the technical feasibility of this particular method, I think it
is wise to simply abandon LinkedIn. They have proven to be a company I don't
want to be associated with. When people ask me for my LinkedIn, I tell them I
don't have one and quickly summarize some confirmed cases of things like this.

------
harigov
I vouch for this claim that LinkedIn/Facebook seem to give recommendations to
add someone as friend even when there is no chance that they could figure it
out using data they have. I don't understand why browsers can't sandbox each
tab such that there is no way to share cookies or cache. This is a serious
breach of privacy if they are reading friend relationships based on your gmail
open in other tabs.

~~~
nym375
It would not surprise me if one of their signals for recommendations is
whether that party has viewed your profile.

~~~
harigov
That actually makes more sense.

------
borski
There is also another option. Suppose, for a moment, that I've sent my friend
an email and he/she has allowed LinkedIn access to their Google Contacts, even
though I have not...there is no reason LinkedIn wouldn't still show me them as
a contact to add, since they know the connection. They just know it from the
other side.

~~~
salmonlogs
Agreed - this is the assumption I have been working on and experienced too

~~~
lancewiggs
The article noted that this was also happening for email contacts who were not
on Linked In.

~~~
jostylr
What about a third person, e.g., a mutual friend.

------
dalanmiller
I knew they were doing this based on recent connection suggestions but
couldn't figure out how. This makes me furious and only better shows how slimy
of an organization they are.

------
bogomipz
"We are not doing this to invade your privacy, we are doing this to assist you
in growing your network."

Well if they are in my Gmail contacts they are already part of "my network." I
can reach out and contact any of these people by simply sending them an email.

------
derricgilling
I agree sounds more like the contacts were imported through app permissions or
something, unless LinkedIn found a real venerability in a common browser or
leveraged some CSRF or XSS attach, but seems doubtful given it's Google. It's
so easy just to accept the laundry list of permissions for common apps.

I'm doing some email outreach through Hubspot which requires access to my
gmail so I set up a separate email so they don't have access to my main
account. I don't believe Hubspot will do anything with my offline access
token, but it's just one more system that has access, so better to follow the
whole principle of least privilege.

------
huangbp
Hey folks,

As the Product Manager of LinkedIn’s contacts import products, I can confirm
that the original explanation was erroneous. The article on thestack.com
references a Quora thread that was inaccurate due to misinformation from our
representative, which we've corrected. He's also since posted a correction in
reply to his answer; see [https://www.quora.com/Does-LinkedIn-access-your-
email-or-con...](https://www.quora.com/Does-LinkedIn-access-your-email-or-
contact-list/answer/Forrest-Abouelnasr/comment/19766928).

We apologize for any confusion this caused and are working with our reps to
ensure we correct any misinformation like this in the future.

We never send invitations without an action from the member. When you add
connections you see the following:

\-- a description of what occurs when you import your contacts to LinkedIn

\-- a page allowing members to unselect contacts from the connection request.

You must go into the address book import page and authenticate the import of
your contacts from your email. It does not happen just by being logged into
LinkedIn and your email on the same browser.

Moreover, you can view, manage, and delete your imported contacts at any time
by going to
[https://www.linkedin.com/people/contacts](https://www.linkedin.com/people/contacts).

Thanks,

Barry

------
shortstuffsushi
I posted a story asking about this (kind of) a couple years back [0]. I've
seen all sorts of weird link in behavior in terms of people bring recommended
to me and people "accepting" invitations I didn't send. At least now I know
I'm not entirely crazy.

[0]
[https://news.ycombinator.com/item?id=6105715](https://news.ycombinator.com/item?id=6105715)

------
random55643
This drives me absolutely nuts. It makes me want to delete my LinkedIn
account.

~~~
Maarten88
They have been trying to access Outlook accounts for the same reason for
years, by asking for your password in a deceptive way. But if this is true
it's next-level evil indeed, it seems that Gmail has an open XSS
vulnerability, and LinkedIn (and Facebook too?) are using it to outright hack
into your account.

------
Animats
That's unacceptable. I just closed my LinkedIn account.

------
mcintyre1994
> At a technical level this kind of cross-site cross-pollination is quite
> achievable with the technical resources available to the major players
> concerned – supercookies, canvas fingerprinting, and global cookies acting
> as cross-site intermediaries all offer the possibility of breaking through a
> website’s sandbox.

Any idea what they're getting at here? All of them just sound like ways to
uniquely identify a user.. so being generous I'll assume LinkedIn can always
work out my gmail address even if I use another address to sign up.. what
next, they hack my account using one of those?

------
mikek
Source: [https://www.quora.com/Does-LinkedIn-access-your-email-or-
con...](https://www.quora.com/Does-LinkedIn-access-your-email-or-contact-
list?share=1)

------
SchizoDuckie
So how do they technically do this? If there's an open browser window they
shouldn't be able to access it. That's an xss exploit. This is not
authorization, this is stealing leaked info.

------
wodenokoto
Where is Google in all this?

------
nucotano
How exactly does this work at a technical level?

~~~
r1ch
I recall there was a followup to the article that confirmed that he had
granted access to his gmail (or someone in his network etc). What the article
describes should not be technically possible.

