There we have it, finally signed up and signed in to
LinkedIn. The next part of the new user experience is filling
out your profile. Depending on how you count, LinkedIn tries to
import the user’s address book three to eight times. It
shouldn’t be this hard to sign up for a product without giving
away any unnecessary information.
[0] https://medium.com/@danrschlosser/linkedin-dark-patterns-3ae...
One of 3 things seems to be possible here:
1) The rep is right and gmail has an XSS vulnerability that LinkedIn is using
2) LinkedIn and Google are in bed and sharing this information based on some fingerprint-foo
3) This guy or his other contacts somehow at some point succumbed to LinkedIn trickery and gave access to his gmail account.
Don't know about you, but #3 seems most likely to me...
How about focusing on the problem instead of pulling a bait-and-switch?
The fact is linkedin tries incessantly to import contact lists from their users, sometimes in the clear and sometimes through shady dark-patterns.
Everyone who ever used linkedin is well aware of that.
Other social network services also abuse that angle, like facebook.
So, why exactly are you trying to pull the proverbial wool over everyone's eyes by trying to make believe that this issue is about an ill-reputed "call center rep" instead of the clamorous privacy abuse that social network services try to force on their users repeatedly?
I'm not sure what exactly you feel I'm trying to lie about here - my post stated I think that LI conned this guy out of his contacts instead of utilizing some heretofore unknown technology to steal them from a separate browser window.
That seems the most likely scenario to me to explain the article. Maybe they try to log-in with your email and linkedin password on the chance that you used the same password for both services?
Then again, on gmail, this should trigger a "login on new device" warning and shouldn't be possible at all if two-factor-auth is active.
This app has access to:
Identity
-find accounts on the device
-add or remove accounts
Calendar
-read calendar events plus confidential information
Contacts
-find accounts on the device
-read your contacts
-modify your contacts
Location
-precise location (GPS and network-based)
Photos/Media/Files
-read the contents of your USB storage
-modify or delete the contents of your USB storage
Storage
-read the contents of your USB storage
-modify or delete the contents of your USB storage
Other
-read sync statistics
-receive data from Internet
-view network connections
-create accounts and set passwords
-full network access
-read sync settings
-control vibration
-prevent device from sleeping
-toggle sync on and off
Updates to LinkedIn may automatically add
additional capabilities within each group.
Why does that still surprise you?
"if you had at any time your LinkedIn account open and accessed any of your emails through the same browser…In order from preventing this from happening again, you will want to be careful to not open up your personal email address in the same browser when you have your LinkedIn account open.’"
Seems unlikely that it really works this way, it would be a huge security hole - spammers and scammers would be using this all the time to harvest addresses.
But seriously though, why does LinkedIn refuse to learn time and time again? There's a line between being aggressive and being outright dishonest and the line isn't all that hard to determine. Uber is often aggressive but rarely are they dishonest in their practices (at least not egregiously from what I know). But at this point LinkedIn is the leader in practices like this and it's not all that clear to me that it's a great long term strategy.
Well if they are in my Gmail contacts they are already part of "my network." I can reach out and contact any of these people by simply sending them an email.
I'm doing some email outreach through Hubspot which requires access to my gmail so I set up a separate email so they don't have access to my main account. I don't believe Hubspot will do anything with my offline access token, but it's just one more system that has access, so better to follow the whole principle of least privilege.
As the Product Manager of LinkedIn’s contacts import products, I can confirm that the original explanation was erroneous. The article on thestack.com references a Quora thread that was inaccurate due to misinformation from our representative, which we've corrected. He's also since posted a correction in reply to his answer; see https://www.quora.com/Does-LinkedIn-access-your-email-or-con....
We apologize for any confusion this caused and are working with our reps to ensure we correct any misinformation like this in the future.
We never send invitations without an action from the member. When you add connections you see the following:
-- a description of what occurs when you import your contacts to LinkedIn
-- a page allowing members to unselect contacts from the connection request.
You must go into the address book import page and authenticate the import of your contacts from your email. It does not happen just by being logged into LinkedIn and your email on the same browser.
Moreover, you can view, manage, and delete your imported contacts at any time by going to https://www.linkedin.com/people/contacts.
Thanks,
Barry
Any idea what they're getting at here? All of them just sound like ways to uniquely identify a user.. so being generous I'll assume LinkedIn can always work out my gmail address even if I use another address to sign up.. what next, they hack my account using one of those?