Saturday, January 23, 2010

LinkedIn Offers Backdoor to Derive Someone's Email Address

Normally in LinkedIn, you can't see someone's email address if they are not linked to you. If you want to send them an invite, you can do that, but it goes through LinkedIn--the process does not expose their email address.

However, if you send an Invite to someone, and they have their Out of Office (OOO) reminder set, you will get an OOO from them, which gives you their email address. This is a little bit of a security gap, probalby not a huge on, but someone, somewhere, will exploit this in some say.

This problem arises from the interaction of LinkedIn with the OOO reminder (typically set in Microsoft Outlook).  Interestingly, a solution could be obtained if either piece of software were more security-conscious. LinkedIn could send the invitation request email without providing the Inviter's email address. That way, when OOO auto-generated a reply, it would not go to the sender of the invitation--it would go into a no-reply address at LinkedIn. And OOO should definitely be masking the "Reply To" address; not just for this reason, but in general.

No comments:

Post a Comment