SellHack browser plugin ceases squeezing LinkedIn for hidden email addresses

Filed Under: Apple Safari, Featured, Firefox, Google Chrome, Privacy, Security threats, Social networks, Web Browsers

SellHackFor a brief window of time that has now slammed shut, a free browser extension called "SellHack" had set off a storm of more-or-less suspicious media reports by promising to "hack" LinkedIn profiles to get at what should be users' tucked-away, private email addresses.

LinkedIn was not very happy about this.

The professional social network told the BBC earlier in the week that it was doing "everything we can to shut Sell Hack down", including sending a cease-and-desist letter on Monday.

SellHack bowed to LinkedIn's command the following day, putting up a blog post titled "The Last 24 Hours" which explained that the SellHack plugin no longer works on LinkedIn pages.

(The post also pointed to how much free publicity this has garnered - the developers got more signups in the past 24 hours than in the 60 days since they'd launched.)

LinkedIn had asked users who downloaded the plugin to "uninstall it immediately":

LinkedIn members who downloaded Sell Hack should uninstall it immediately and contact Sell Hack requesting that their data be deleted.

Absolutely. I had planned to do that too, but not before hacking my own profile. SellHack has now saved me the trouble.

The plugin was available for Chrome, Safari and Firefox, any of which should ask for permission before plugging in a random extension off the internet.

As you can see in the screen grab below, the extension didn't always deliver the goods. It hit a brick wall with my profile, didn't deliver my email address, and gave me the excuse that "WHOA! We have so many new users that we need to do some maintenance".

Lisa Vaas, LinkedIn screenshot

I tried it on Naked Security's Mark Stockley and got his email address just fine, after which I dug up email addresses for people both CEO-ish and 99%-ish.

SellHack says on its site that the tool was created for marketing professionals. In its Tuesday post, it says that it's been described as "sneaky, nefarious, no good, not ‘legitimate’ amongst other references by some."

They're not any of that and are in reality far more wholesome, the developers claim:

We’re dads from the midwest who like to build web and mobile products that people use.

In spite of the use of the term "hack" in its name, however, SellHack didn't actually do any shady hacking of LinkedIn profiles to reveal the email addresses associated with them. Instead it made use of publicly available information on the net combined with "best guesses" and then packaged it all up in a provocative way.

The data we process is all publicly available. We just do the heavy lifting and complicated computing to save you time. We aren't doing anything malicious to the LinkedIn website.

We haven't been able to verify this (most of the code was in a publicly hosted library that has now been removed) but it seems the most likely explanation.

A LinkedIn spokesman told the BBC that members should "use caution" before downloading any third-party extension or app:

Often times, as with the Sell Hack case, extensions can upload your private LinkedIn information without your explicit consent.

LinkedIn's right about downloading dubious plugins. These tiny apps can do a world of cozy things in our browsers, such as help us to watch videos online, view PDF documents or more.

They can also be either malicious or simply out of date and therefore out of touch with a browser's most recent security vulnerabilities.

Critics have pointed out that LinkedIn itself isn't innocent of suctioning users' profile information, mind you.

For example, in February 2014, it pulled the plug on its own "Intro", an email plug-in for Apple iOS designed to suction LinkedIn profile information and insert it into emails received on phones.

And then too there's the class action lawsuit charging that LinkedIn gets into users' private email accounts and sucks out their contact lists - a charge that it denies, or at least, denies doing without users' permission.

But two - or three or four - wrongs don't make a right.

Let's just hope that browser plugin developers see this as a case study in being more transparent, as opposed to a tutorial in getting a lot of free press.


, , , ,

You might like

2 Responses to SellHack browser plugin ceases squeezing LinkedIn for hidden email addresses

  1. LinkedIn is so shady themselves, I have trouble feeling bad for them.

  2. Laurence Marks · 210 days ago

    LinkedIn attempts to sway the user into divulging his email address AND PASSWORD during the registration process. It's very subtle and clever and low-key.

    They don't disclose that they will then log into your Yahoo/Hotmail/Gmail account and download your contact list and spam them all to sign up.

    As I mentioned, very subtle. I almost fell for it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.