full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Linkedin shared complete &

[Full-disclosure] Linkedin shared complete "personally identifiable data" to third party websites

From: Bipin Gautam <bipin.gautam_at_nospam>
Date: Mon Jan 18 2010 - 19:21:54 GMT
To: full-disclosure <full-disclosure@lists.grok.org.uk>


(This is a 15 day old news, some of you already know...0-day for few :)

Hint : It looks like, not ALL linkedin back-end servers are updated still!

Last year DIA[1] run into an almost similar problem but the problem of Linkedin is worst among all.

Facebook doesnt have this problem (but we all know whats its all about hahaha ;). BUT, one must not mis-understand only social networking website can run into this problem. ANY website, be it news forum, Blog, discussion board, websites that run entertainment portal or virtually any website is susceptible to this problem.

Other social networking website zorpia.com(uses google-analytics.com), hi5.com & netlog.com(uses quantserve.com), myspace.com(minor only, insignificant) etc DO seem to include such third party JS as such, but as i dont use any of these websites i havent had a chance to look into it deeply from a possible privacy impact analysis. But it looks like the worst website could be www.perfspot.com (consist of 2-3 third party JS)

But, i strongly believe problem like this is quiet common through the Internet in manyyy websites than one may seem expect......... :)

[1]Defense Intelligence Agency Fixes Risky Web Site Code: http://www.informationweek.com/news/security/government/showArticle.jhtml? articleID=211800622



Background:
 If a Web site includes third-party JavaScript , advertisement scripts, [or] banners called from third-party servers, the Web site is at risk of having to rely on the third party as well for overall security assurance of its Web site. They can be used to "profile" a users machine.

 "Traffic tracking beacon" are generally java-script used almost everywhere[1] and the service claim to collect "anonymous data" only. But, if left without any careful evaluation web-developers risk leaking "complete user activity" to all/any "personally identifiable details" possible to such services!

Further, the problem is worsen as "tracking beacon" are found throughout the Internet so if personally identifiable details are leaked from one trusted website, all other "anonymous data" collected on you by the beacon-service can be de-anonymized. Sadly, most web-developers dont realize this risk.

Further, there is no guarantee two different companies that provide "beacon-service" may not share their "anonymous" data to each-other? Further, beacon-service providers try to stay low profile by providing "the same service" under multiple domain names making it difficult to keep an up-to-date block list to protect your privacy.

Linkedin.com, for example shared information like page URL, the referring page, and the page title, screen resolution etc to its web-beacons (see packet capture log). Although the service provider claimed no personally identifiable information is being collected, if you look into it carefully, it is another story.

[1] http://news.ghostery.com/post/134968375/top-10-web-analytics-trackers-on-the-web

---ADVISORY--- Linkedin shared your complete "personally identifiable details" with third party facilitating a detailed real-time spying by an untrusted party over you.

Some of the information that gets leaked into its web-beacons, pixel.quantserve.com and scorecardresearch.com are:

  • Page Title
  • Groups/topics you visit / own
  • your personal interests (behavior profiling)
  • time of your visit & frequency (on a particular topic)
  • questions and answers you participate on
  • the profiles you visit
  • your search results
  • your contact list
  • the number of email you receive/sent

and lot of things which can be correlated and intersected to get the bigger picture.

So, for example... if you login into linkedin and click "edit profile" the beacon will have an "anonymous" information about someone has clicked "edit profile" in linkedin. But, now if you click view profile... your name is displayed in top of page -- which is the "windows title". Doing so, both your unique linkedin ID and the window title thats displaying your "name" GETS TRANSFERED TO scorecardresearch.com. Now, if you visit any group both the group name (as title window) and group ID is leaked. If you are just visiting a group with a few users, it will leak your membership in the group and you. Now if you click "contacts", scorecardresearch.com could know you are browsing your linkedin address book. Now if you click on to a profile there immediately, this activity will leak the profile you are visiting right now is in your friend list. (example: you may be visiting someones profile more than usual, and that info is leaked) If you receive a new email profiling may even leak from "WHO" you received the email and so on................

All such information from linkedin.com was being collected by "scorecardresearch.com" and "quantserve.com" due to negligence of linkedin.com. People with "security clearance" also login to linkedin, so linkedin.com should take it into account as well when it chooses any new practice.

This way, the third party can mine your identity to all personal details possible in linkedin far better than someone in your contact list and can track your "activity" on its affiliated domains and partners websites and throughout the Internet as if you are in some kind of 24x7 reality TV. Technically, i prefer to call such a service as "super-cookie".

# (i think) Any "software feature" that can serve as a super-cookie should be illegal as its a back door to breach our privacy........

Super cookie can be flash cookie, WMP had something like that, FF use to send anonymous UID as crash log, CSS are risky, software/updates can give away your machine identity via similar profiling and a lot of things i have said elsewhere......

This day, you can easily track a computer/identity REGARDLESS OF ITS IP ADDRESS ON THE INTERNET, for most technology like TOR will only give FALSE SENSE OF PRIVACY due to such web practices.

Moral lesson : http://www.consumeraffairs.com/news04/2010/01/rockyou.html

Also, linkedin dont have a "delete email" feature [1] in your inbox so that maybe it can (had) avoid talking about any "data retention policy" once the user has deleted his email from his inbox?

This also gives the ability (opportunity) for your employer to snoop into your inbox (if you are logging in from office network) to keep track of "who is contacting you" without your current employer (or say tracking software) having to worry you may have accessed your linkedin email in home from a potential employer and deleted the mail?

In linkedin, i dont see how the end users have control of their data. Lately, I wanted to delete a personal email received in my inbox in linkedin and discovered linkedin stores my "intellectual property" [2] for ever.........

[2] http://www.linkedin.com/static?key=pop_privacy_policy_summary In Section 1, we added a new paragraph under the heading “Consent to LinkedIn Processing Information About You”, we remind you that certain information you disclose on LinkedIn may reveal aspects of your private life and about you, and that, in joining LinkedIn, you are consenting to the terms of the user agreement and the privacy policy in all respects. While you have the right to withdraw that consent, your withdrawal will not be retroactive.

In Section 1, we added a paragraph under the heading “Rights to Access, Correct and Eliminate Information About You”, we explain that you have the right to update or eliminate information about you, but that a copy of the original information provided may be kept by LinkedIn.



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/