LinkedIn plug-in mines for user email addresses

"This highlights the fine line between acceptable and unacceptable usage of your information" says Nigel Stanley, CEO of Incoming Thought.

LinkedIn facing £3 million lawsuit, as member claims negligence over password breach
LinkedIn facing £3 million lawsuit, as member claims negligence over password breach

The complex world of approved and third-party browser apps has been highlighted after LinkedIn announced it had sent a cease-and-desist letter to the developers of the curiously-named ‘Sell Hack' add-on for Chrome, Firefox and Safari web browser clients. 

LinkedIn says that it recently became aware that the Chrome version of Sell Hack automatically mines email addresses from LinkedIn servers - a feature that is normally only available to people that the LinkedIn user has 'connected' with. However, even then this is only on an opt-in basis by members of the business social network.

The Sell Hack app is not available on the official add-in/plug-in/extension browser libraries, but can be downloaded from the Sell Hack website. 

Both LinkedIn and Sell Hack remain vague on how the app is apparently able to circumvent LinkedIn's normal privacy controls, but unconfirmed reports suggest that the app cross-references normally hidden data on the LinkedIn site - along with data elsewhere on the web - in order to `mine' user email addresses. 

The BBC quotes a LinkedIn spokesperson as saying the company is doing everything it can to shut Sell Hack down. "On 31 March LinkedIn's legal team delivered Sell Hack a cease-and-desist letter as a result of several violations," the spokesperson said.  

"LinkedIn members who downloaded Sell Hack should uninstall it immediately and contact Sell Hack requesting that their data be deleted." 

The story from Sell Hack's side is a little different, with the app developer acknowledging receipt of the cease-and-desist letter, but announcing that the plug-in no longer works on LinkedIn pages. 

"We only processed publicly visible data from LinkedIn based on your profile permissions… all of which has been deleted," says the company in its latest posting, adding that it has been described as sneaky, nefarious, no good, not ‘legitimate' amongst other references by some. 

"We're not. We're dads from the Midwest who like to build web and mobile products that people use," the firm adds.  

Rob Bamforth, a principal analyst with business and security research house Quocirca, said that LinkedIn already harvests data from users' address books. 

"I've noticed this feature myself over the last few months on the `people you may know' feature. A few of them have now passed away, so it's clearly doing something with my email address book," he said. 

The problem with Sell Hack – as with all apps of this type - he says, is that anything that works as a plug-in can operate outside of the normal controls of a website and its interface. "You then run the risk of problems and issues with that app as a result," he explained. 

"The fact that the app hooks into via the web browser is always a potential security risk. The methodology may be perfectly legitimate in most cases, but there can be an issue, as this saga clearly illustrates," he said, adding that the `halo of trust' is always going to be potentially problematic in such situations. 

Fellow analyst Nigel Stanley, CEO and analyst with Incoming Thought, echoed Bamforth's comments, noting that LinkedIn is a valuable source of information for most of its users. 

"I think this highlights the fine line between acceptable and unacceptable usage of your information. It would be interesting to see what LinkedIn's T&Cs in this regard are - but the bottom line is that any information that you upload to the Internet should be considered to be in the public domain, even if the site or service promises to take care of that data," he said. 

Over at security consultancy Pentura, Paul Cronin, the firm's technical director, said that, although Sell Hack is using an algorithm to check publicly-available data, it is a concern that add-ons like this can watch activity - and collect information - on any direct connections made via LinkedIn. 

"Many individuals have their personal email accounts connected to services such as LinkedIn, which they may not want exposed. It's also not clear what is being done with this information," he said, adding that this is something that the tool's vendor needs to make explicit if users are going to trust it.