

Serious privacy issue in Linkedin not fixed for more than a week - aatteka
https://twitter.com/AndrisAtteka/status/524098970172538880

======
netcorps
The same type of "attack" can be run against Amazon and most onlineshops that
base suggestions on your product viewing / browsing history. So just embed a
link to an "interesting" product (e.g. adult toys) in any website and users
next visiting amazon will see very odd suggestions. There is not much they can
do against this as they still want to count visits on profiles from people
coming from Google where the URLs will not hold a valid CSRF token in them.

Only tracking visits when the page UI loaded and preventing the page from
being embedded in the iframes via security headers (if only these were
supported in a more consistent way) would help address this. Not worth the
effort.

This would only become an interesting attack vector if many visits to your
profile bumped your credibility in any way.

