
Does LinkedIn access your email or contact list? - jackgavigan
https://www.quora.com/Does-LinkedIn-access-your-email-or-contact-list?share=1
======
ikeboy
From the comments:

>UPDATE: apparently their original explanation was erroneous. They’ve sent
another message with a different explanation for how they got my contacts
(below), which is that I apparently “uploaded my android address book”. I
never knowingly uploaded my android address book but I’d guess that the
linkedin app automatically does it whenever it can. This serves as a good
reminder to check app permissions when you download an app to your phone!

~~~
mysterypie
Where are you getting that from? I don't see that passage in the original
article and if I google for it, the only hit is your Hacker News comment.

~~~
ikeboy
Click comments on the first answer, or go to [https://www.quora.com/Does-
LinkedIn-access-your-email-or-con...](https://www.quora.com/Does-LinkedIn-
access-your-email-or-contact-list/all_comments/Forrest-Abouelnasr)

~~~
mysterypie
I simply do not see it. There is no comments link or button in the original
article and your link above gets me the same Q&A but there is nothing like the
passage you've quoted.

I even looked at the page source. I've turned off all privacy protection in my
browser. I'm using Firefox from a desktop. I am not logged into Quora. Are you
doing something different? (Mobile version? Logged into Quora?)

~~~
soneil
I believe you don't get comments if you're not logged in, only answers.

( this should get you more, but still not the entire comment, I think;
[https://www.quora.com/Does-LinkedIn-access-your-email-or-
con...](https://www.quora.com/Does-LinkedIn-access-your-email-or-contact-
list/answer/Forrest-Abouelnasr/comment/19766928) )

------
elcano
Each of my children has an email account that I configured on my own domain.
When I enrolled them in a soccer team I used their email address in form. I
get forwarded every email that they receive, but by noticing the To: field I
can determine to who it was intended. I have been doing this for a few other
sport teams. Well, they continuously receive invitations to join LinkedIn from
the soccer coach. He cannot be doing this on purpose. LinkedIn is swallowing
his contact list and sending invites indiscriminately to every address.He
could have uploaded on purpose, or most probably 'auto-approved' as said
above. Yet, it doesn't change that this practice is desperate to say the least
or actually, sick is a better term.

~~~
jstanley
> I get forwarded every email that they receive

Do you think this is fair?

~~~
koolba
> Do you think this is fair?

For a young child? It'd be criminal not to do this.

There's a _BIG_ difference between protecting a young (say <13?) child from
the evils and perversions that we all know exist in the world and invading the
privacy rights of an adolescent. I'd say the natural tipping point for the
switch is when the child decides to create their own email address.

~~~
arkitaip
If anything, I wish more parents acted like you (I know some that do but
nearly not enough). Most have no idea what their kids are up to on email or
various chat apps.

------
afandian
There are so many stories of LinkedIn grabbing contact lists that people don't
remember allowing. It happened to me.

Was it nefarious? Did they exploit a vulnerability? Did they trick me?

It all amounts to the same thing if LinkedIn is doing something to so many
people who don't believe they gave consent. There's no way this is proper
informed consent.

------
flippyhead
> In order from preventing this from happening again, you will want to be
> careful to not open up your personal email address in the same browser when
> you have your LinkedIn account open.

Well crap, I guess it's my fault for forgetting to not use the same browser
for multiple, unrelated websites.

------
jklein11
How, exactly does this work?

If Linkedin can get my gmail authorization information from the browser,
couldn't any other site?

------
aq3cn
Firefox has container feature now to isolate cookies from other tabs in same
browser window natively.

[http://www.ghacks.net/2016/06/15/firefox-container-
tab/](http://www.ghacks.net/2016/06/15/firefox-container-tab/)

Time has come to isolate LinkdIn and we have the resources too.

I admit that it's creepy and intolerable but I have accepted this behavior and
started taking measures of my own.

Edit:

Another solution is to make use of this Addon called umatrix.

[https://addons.mozilla.org/en-
US/firefox/addon/umatrix/](https://addons.mozilla.org/en-
US/firefox/addon/umatrix/)

------
okket
This is exactly what every browser tries to prevent from happening, so how is
this possible?

~~~
vorotato
[secret] it wasn't.

------
laurentdc
> There is not a setting to specifically turn this feature off.

Glad I deleted my LinkedIn account about year ago. It was just spam, spam, and
more spam to me and my connections to get more people on the platform.

------
loph
It's the smartphone app that does this. Not the browser app. If you use
Chrome, it is theoretically impossible for one tab to get data from another
tab.

------
jrockway
Through what mechanism is this implemented? It sounds to me like the CSR
misspoke.

------
Cozumel
It could be some kind of 'target blank' attack, if you have Gmail open in one
tab then open a link from a linkedin email onto their site, they have access
to your gmail window and can probably get your contacts.

Couple of examples explaining it better than I can: [https://dev.to/ben/the-
targetblank-vulnerability-by-example](https://dev.to/ben/the-targetblank-
vulnerability-by-example) [https://www.jitbit.com/alexblog/256-targetblank---
the-most-u...](https://www.jitbit.com/alexblog/256-targetblank---the-most-
underestimated-vulnerability-ever/)

~~~
mediumdeviation
Cross-origin window.opener objects are not full window objects. You can test
this out on any browser - the most they can do is what the articles you linked
to says - redirect the parent window, which can be used for phishing, but is
otherwise relatively harmless.

------
asimuvPR
I dont understand how this would be possible without it being a gmail and
browser security issue. Maybe someone with browser dev experience can chime
in?

Google should take notice of this.

------
dexterdog
Is there really a reason to have LinkedIn on your phone unless you're one of
those people who uses it as his fb/twitter for business? I forgot I even had
it so it's gone now.

------
arkitaip
I don't know if this is even possible but people think that it is because
LinkedIn has become the Internet boogeyman after years of scummy business
practices.

------
jkot
Good advice: use private browser mode by default

------
lr4444lr
I'm not a security expert, but if this is true, doesn't that imply Gmail has
an XSRF exploit?

------
oneloop
Guys, you're a technical crowd. How would this even be possible? I mean, if
you haven't given access to your gmail contacts to linkedin through oauth,
this shouldn't be possible. If you have... you should expect that the app you
gave access to will use the access.

I'm calling bullshit.

~~~
afandian
I'm technical. It happened to me. I'd be the first to call bullshit on myself,
but it happened and I honestly don't know how they did it.

~~~
thewhitetulip
I have had facebook recommend me people with whom I have communicated via
Gmail and Github only

~~~
tristanj
I've had this happen before too. Quite likely the other person searched your
name on Facebook and clicked your profile but didn't send a friend request.
Facebook thought you two might know each other, hence they suggested a friend
request.

~~~
dkersten
I've had a fake gmail account that I was using to reply to scammers show up on
linkedin. I've had old old old hotmail addresses (which I didn't delete from
my contact list and at some point imported into gmail, back when gmail was
new) show up on linkedin.

I've never used their apps or otherwise connected my gmail. Yes, its possible
that they tricked me somehow using some dark pattern, but there is no
legitimate way they could have added these "people" to my list.

~~~
jrockway
Why isn't it possible that the scammers you replied to told LinkedIn your
email address (probably through an automated contact list upload)?

~~~
dkersten
Its possible. I'd say its very unlikely though. But that doesn't explain old
no-longer-existing hotmail addresses. My point is that there are many cases
which are incredibly unlikely to have gotten into linkedin's database
legitimately.

I mean, sure, it could have very well been that they tricked me somehow.
Likely in fact (more likely than them knowing some kind of cross site
scripting vulnerability in gmail). But in my opinion that is just as
illegitimate scum tactics as hacking my inbox and IMHO should be illegal. I do
know that I did NOT authorise this action, whatever it may be.

