
A Tool Will Let You See Anyone’s Email Address on LinkedIn - MarlonPro
https://www.yahoo.com/tech/this-sneaky-tool-will-let-you-see-anyones-email-on-81301057402.html
======
pdq
I have a suspicion this app is harvesting all your LinkedIn contacts,
uploading them to the app.sellhack.com server, and then as a "reward" for you
giving up all that info, you can pull other contacts back out of sellhack.com.

If so, this is basically a Chrome virus.

~~~
eli
Yup, that's exactly what it's doing. It's grabbing mailto's, email addresses,
twitter handles, etc off pages you see -- from you & your connections -- and
sending them back to its server.

[https://gist.github.com/anonymous/b15b1e3f6cfb8497e8f0#file-...](https://gist.github.com/anonymous/b15b1e3f6cfb8497e8f0#file-
sellhack-js-L36)

By using this extension you are compromising your friends' privacy!

~~~
pdq
This brings up an interesting point of social engineering compromising
LinkedIn.

LinkedIn should immediately put a Captcha on their contact info display to
stop this JS attack!

------
selectout
Looks like all this is doing is trying every combo of first name, last name,
initials, etc @ company's website the person was employed by.

Nothing new here that's actually hacking in though, just checking the combos
for a positive return form rapportive (or really could just be pinging the
email servers).

With that said it is in a nice and "consumer" friendly system, but even if
this gets shut down you can do it manually very easily and always have been
able to.

~~~
dmourati
I don't think it is that simple. I just tried with a colleague I met but whose
email I did not know. It returned his gmail account.

~~~
selectout
They could easily be testing many of the gmail + yahoo + other popular
accounts as well, doing google searches in the background for "name@gmail.com
AND company" to see if the person appears or maybe it really is more than what
I thought.

I just thought this way originally because it showed "26 results" for a friend
I looked up that I'm not connected to before it gave me the 1 final result
that was his email. The 26 results as it was loading showed everything from
first@company.com (not active), firstlast@company.com (not active),
firstLetterlastName@company.com (not active), etc.

EDIT: So based on it showing so many false positives it looks like it's just
queuing up all possibilities than returning whatever it finds works.

------
chavesn
What an incredibly irresponsible post by Yahoo Tech. No disclaimer, and it is
written as a how-to!

Am I the only one that thinks that the people at Yahoo Tech should know better
than to make de-facto recommendations to their users to install such kind of
hacks that are as dangerous to users as they are in violating the TOS of the
website target?

~~~
danielweber
It's a cluster-fudge alright. The reporter should have, er, _reported_ on what
they did and what results they saw.

And it left the really big question open: how does this "app" pull the email
address? If it's sitting there in the source of the page somehow, this is just
a pretty wrapper around a critical LinkedIn bug. If it's doing something else
. . . well, I would be _really_ interested in knowing what else it was doing.

~~~
eli
No, not on the page. The extension appears to be making a request to
"app.sellhack.com" to look up the LinkedIn member.

EDIT: And it's stealing your friends' contact details! Don't install it!
[https://news.ycombinator.com/item?id=7505728](https://news.ycombinator.com/item?id=7505728)

------
eli
It would be trivial for this app to steal your LinkedIn credentials or send
LinkedIn spam or do other nasty stuff. It's loading this script live off their
server: [https://sellhack-
static.s3.amazonaws.com/extensions/linkedin...](https://sellhack-
static.s3.amazonaws.com/extensions/linkedin/sellhack.min.js)

~~~
mahmud
Surprisingly, most "hacking" tools actually hack their users, instead of
hacking on their behalf.

------
na85
So in other words, LinkedIn's "premium account" service suffers from an info
disclosure vulnerability that they seem to be either too lazy or inept to fix,
and are instead just using their legal team as a meatspace firewall.

~~~
unreal37
No evidence of a LinkedIn vulnerability yet.

~~~
na85
Features that are supposed to be behind a paywall but aren't? That's a
vulnerability if you are LinkedIn and want to encourage more users to upgrade
to premium.

------
billyjobob
For many years the only spam and phishing emails I got were those sent to the
unique address I used to register on LinkedIn.

~~~
0x0
The same, and my custom email even included 'linkedin' as a substring, so no
doubt about it. Also I was seeing web crawler bots hitting URLs that were
hidden behind a "contacts only" privacy limit.

~~~
username223
"LinkedIn: the website for self-promoters too shameless and impatient for
Facebook." I'm not sure what else I would expect.

------
sweedy
I have just tried this with new email and linkedin account with the intention
to see my own linkedin mail. At least it does not work with the last firefox
and linux mint here

------
BorisMelnik
looks like she has been made aware:

[https://twitter.com/alyssabereznak/status/450831920168181760](https://twitter.com/alyssabereznak/status/450831920168181760)

~~~
alyssabereznak
hi, i'm the author of the post. it's updated. thanks again for pinging me on
twitter.

i'm planning to talk to linkedin more about it. let me know if there's
anything you'd like to know.

[https://www.yahoo.com/tech/this-sneaky-tool-will-let-you-
see...](https://www.yahoo.com/tech/this-sneaky-tool-will-let-you-see-anyones-
email-on-81301057402.html)

------
aestetix
This reminds me of weev's "hack" against AT&T. Will people demand that the
creator of this cool be thrown into jail for 3 years?

~~~
unreal37
Is the creator a world-famous a*hole? No? Then probably not.

------
johnvschmitt
It's not really a big deal. I mean, if you have a LinkedIn account, you likely
get a bit of spam already.

And, if someone really wanted to get in contact with you, they can. (Phone
directories still exist.) And, of course, just send them an invite. Most
accept.

I wouldn't trust a browser plugin like this though.

------
vbrendel
Any piece of data that's out there, currently private or not, will ultimately
become available to anyone as long as they can find it. This is a tool which
speeds up that process.

Can't wait for the Facebook version of this plugin.

------
suyash
Can anyone use the tool and search a few email address to attest the claim.

~~~
Jxnathan
Works perfectly.

------
memossy
I was rather surprised when LinkedIn synced all of my LinkedIn contacts' email
addresses into my address book via the Android app. Not as bad as this, but
strange default behaviour.

------
darksim905
This tool sucks, I tried it when it was posted on a previous YC thread. I
tried it on a few accounts where I'm directly connected with someone & it gave
me bogus addresses.

------
devanti
Tested it and it didn't seem to work. No button on the profile

~~~
gburt
I got the button, but tried it on 10 different users and it got none of their
email addresses.

~~~
Jxnathan
Right-click and Inspect Element. You will see the e-mail address inside of the
Hack In "results" DIV.

------
Ramonal
Advertisers and headhunters like to use it.

------
notastartup
This doesn't work....also I now feel violated...it seems like it is harvesting
your contacts email and uploading it without your permission.

Sigh. These guys are about to feel the wrath of Linkedin's legal team.

I deleted it, it's useless.

~~~
flylib
it works great, has constantly worked every time I tried it

~~~
notastartup
do you have to be connected to the person? I tried it and the spinner just
loads forever.

~~~
flylib
nah I wasn't connected to the people, the server is probably getting bombarded
now since a whole bunch of news outlets are starting to cover it and that is
causing a lot of errors but this was actually released like a week or two ago
and works great

------
the1
But aren't 100% of linkedin code thoroughly tested
([http://engineering.linkedin.com/tags/testing](http://engineering.linkedin.com/tags/testing))?
Much code coverage. Much fun! Wow!

------
suyash
Now wonder How Recruiters were able to get my personal email.

