LinkedIn warns of Sell Hack browser plugin that claims to reveal hidden email addresses

SellHackA browser extension called "Sell Hack" is creating something of a storm, after claiming it can reveal the hidden email addresses of LinkedIn users.

The tool, first spotted by Yahoo Tech columnist Alyssa Bereznak, initially gives the impression that it allows anyone to visit a LinkedIn profile page and "hack" into LinkedIn's systems to extract the page owner's (normally private and hidden) email address.

And all this power, it is claimed, is available to you by quickly installing a plugin for your Chrome, Safari or Firefox browser.

Sell Hack website

Sounds like a stalker's or recruitment advisor's wet dream, doesn't it?

But in my testing, Sell Hack didn't quite live up to its promise.

If you want to try out Sell Hack, you will first have to grant permission for the extension to plug into your browser.

Sell Hack extension install

Don't say that you weren't warned.

But if you do decide to proceed, a button will be added to any LinkedIn profiles that you visit.

Sell Hack on LinkedIn CEO's profile

And sure enough, clicking on the "Hack In" button does sometimes reveal what appear to be the profile owner's email address.

Weiner revealed

That certainly looks like a plausible email address for Jeff Weiner at LinkedIn, and it's confirmed by services like CEOemail.com.

Here's another attempt I made, checking out a certain William H Gates III:

Email addresses for Bill Gates?

Again, the email addresses *appeared* plausible enough. But I didn't want to drop Bill a line to check. After all, he probably gets enough nuisance unsolicited email as it is.

What I found interesting, however, is that in the majority of occasions Sell Hack failed to reveal any email addresses for the profiles I tested it against. This was especially true when the profiles I attempted to find email addresses for weren't public figures, like CEOs of major organisations.

LinkedIn profile, failing to expose its email address

WHOA! We have so many new users that we need to do some maintenance

This leads me to think that Sell Hack isn't actually exploiting a security or privacy vulnerability on LinkedIn at all, but is using other methods to determine LinkedIn users' email addresses.

Let's hope that is the case, because a tool which genuinely "hacked" into accounts to reveal email addresses would be a powerful tool for cybercriminals like spammers, phishers and those interested in launching targeted attacks against particular companies.

Update: LinkedIn spokesperson Krista Canfield has been in touch, and confirms that "no LinkedIn data has been compromised and Sell Hack is not the result of a security breach, bug or vulnerability." Which is good to know!

However, what isn't entirely clear is just how Sell Hack is determining the email addresses it (sometimes) displays. One worrying scenario would be if the Sell Hack tool itself were harvesting users' accounts for contact information, and building up parts of its database that way.

Sell Hack's own FAQ claims that it is using publicly accessible information to determine an individual's likely contact details:

The data we process is all publicly available. We just do the heavy lifting and complicated computing to save you time. We aren't doing anything malicious to the LinkedIn website. We think browser extensions are the best way to personalize an individuals web experience. We love LinkedIn and are trying to make it better for the community.

Regardless, LinkedIn is unimpressed and has released a statement urging users to not install the Sell Hack browser extension:

LinkedIn’s legal team is delivering Sell Hack a cease and desist letter as a result of several violations.

LinkedIn members who downloaded Sell Hack should uninstall it immediately and contact Sell Hack requesting that their data be deleted.

We advise LinkedIn members to protect themselves and to use caution before downloading any third-party extension or app. Often times, as with the Sell Hack case, extensions can upload your private LinkedIn information without your explicit consent.

LinkedIn is offering sound advice here. Installing dubious browser plugins is a dangerous game, that could result in your personal, private information being compromised.

I was nervous of the Sell Hack plugin so I ensured that it didn't connect with my real LinkedIn account during all of my testing.

After all, how could I be sure that it wasn't scooping up private information from my profile or address book which it might later use for nefarious purposes?

See also: Sell Hack, the controversial plugin that offered to uncover LinkedIn email addresses, shuts down for now

Tags: , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , , ,

One Response

  1. Jeremy

    April 2, 2014 at 6:27 am #

    It's possible that they just do mass indexing of people's social presences. Linkedin most likely won't do anything as someone will just recompile the code. They are just scared of their crappy business model and don't want people to contact people using the free plan.

Leave a Reply