LinkedIn warns of Sell Hack browser plugin that claims to reveal hidden email addresses

Graham Cluley

SellHackA browser extension called “Sell Hack” is creating something of a storm, after claiming it can reveal the hidden email addresses of LinkedIn users.

The tool, first spotted by Yahoo Tech columnist Alyssa Bereznak, initially gives the impression that it allows anyone to visit a LinkedIn profile page and “hack” into LinkedIn’s systems to extract the page owner’s (normally private and hidden) email address.

And all this power, it is claimed, is available to you by quickly installing a plugin for your Chrome, Safari or Firefox browser.

Sell Hack website

Sounds like a stalker’s or recruitment advisor’s wet dream, doesn’t it?

But in my testing, Sell Hack didn’t quite live up to its promise.

If you want to try out Sell Hack, you will first have to grant permission for the extension to plug into your browser.

Sell Hack extension install

Don’t say that you weren’t warned.

But if you do decide to proceed, a button will be added to any LinkedIn profiles that you visit.

Sell Hack on LinkedIn CEO's profile

And sure enough, clicking on the “Hack In” button does sometimes reveal what appear to be the profile owner’s email address.

Weiner revealed

That certainly looks like a plausible email address for Jeff Weiner at LinkedIn, and it’s confirmed by services like CEOemail.com.

Here’s another attempt I made, checking out a certain William H Gates III:

Email addresses for Bill Gates?

Again, the email addresses *appeared* plausible enough. But I didn’t want to drop Bill a line to check. After all, he probably gets enough nuisance unsolicited email as it is.

What I found interesting, however, is that in the majority of occasions Sell Hack failed to reveal any email addresses for the profiles I tested it against. This was especially true when the profiles I attempted to find email addresses for weren’t public figures, like CEOs of major organisations.

LinkedIn profile, failing to expose its email address

WHOA! We have so many new users that we need to do some maintenance

This leads me to think that Sell Hack isn’t actually exploiting a security or privacy vulnerability on LinkedIn at all, but is using other methods to determine LinkedIn users’ email addresses.

Let’s hope that is the case, because a tool which genuinely “hacked” into accounts to reveal email addresses would be a powerful tool for cybercriminals like spammers, phishers and those interested in launching targeted attacks against particular companies.

[box type=”info”] Update: LinkedIn spokesperson Krista Canfield has been in touch, and confirms that “no LinkedIn data has been compromised and Sell Hack is not the result of a security breach, bug or vulnerability.” Which is good to know!

However, what isn’t entirely clear is just how Sell Hack is determining the email addresses it (sometimes) displays. One worrying scenario would be if the Sell Hack tool itself were harvesting users’ accounts for contact information, and building up parts of its database that way.

Sell Hack’s own FAQ claims that it is using publicly accessible information to determine an individual’s likely contact details:

The data we process is all publicly available. We just do the heavy lifting and complicated computing to save you time. We aren’t doing anything malicious to the LinkedIn website. We think browser extensions are the best way to personalize an individuals web experience. We love LinkedIn and are trying to make it better for the community.

Regardless, LinkedIn is unimpressed and has released a statement urging users to not install the Sell Hack browser extension:

LinkedIn’s legal team is delivering Sell Hack a cease and desist letter as a result of several violations.

LinkedIn members who downloaded Sell Hack should uninstall it immediately and contact Sell Hack requesting that their data be deleted.

We advise LinkedIn members to protect themselves and to use caution before downloading any third-party extension or app. Often times, as with the Sell Hack case, extensions can upload your private LinkedIn information without your explicit consent.

LinkedIn is offering sound advice here. Installing dubious browser plugins is a dangerous game, that could result in your personal, private information being compromised.

I was nervous of the Sell Hack plugin so I ensured that it didn’t connect with my real LinkedIn account during all of my testing.

After all, how could I be sure that it wasn’t scooping up private information from my profile or address book which it might later use for nefarious purposes?

See also: Sell Hack, the controversial plugin that offered to uncover LinkedIn email addresses, shuts down for now

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “LinkedIn warns of Sell Hack browser plugin that claims to reveal hidden email addresses”

  1. It's possible that they just do mass indexing of people's social presences. Linkedin most likely won't do anything as someone will just recompile the code. They are just scared of their crappy business model and don't want people to contact people using the free plan.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES