The browser extension Sell Hack, which allowed people to hack into LinkedIn’s email database, no longer works. When it was up and running, anyone could pull up the email address of anyone else who used LinkedIn. The extension worked well, and it worked quickly; it took me less than a minute to pull up the email address of my boss.
LinkedIn responded with a cease-and-desist letter, but Sell Hack shows no signs of backing down; the startup defended itself on its blog. “We’ve been described as sneaky, nefarious, no good, not ‘legitimate’ amongst other references by some. We’re not. We’re dads from the Midwest who like to build Web and mobile products that people use,” they wrote, promising to make another version of the product that doesn’t violate LinkedIn’s Terms of Service.
LinkedIn doesn’t have any plans to continue fighting Sell Hack. “Our goal was to stop this activity and Sell Hack’s plugin has been shutdown. End of story,” Krista Canfield, the Senior Manager of Corporate Communications for LinkedIn, told the Daily Dot.
Sell Hack insists it’s a benign marketing tool that uses public information. But Adam Kujawa, the head of malware intelligence at Malwarebytes, still thinks the startup is shady, and worth keeping a close eye on.
“It looks like Sell Hack keeps a database of personal information collected,” said Kujawa. “It then searches this database and provides the user of the extension a known email address of the person.” It’s basically a higher-tech marketing email list compiled through information extracted from LinkedIn… but there was no way for users to opt-out.
And sure, Sell Hack might be operated by genial dads, but it’s still something that could be an invasive nuisance for LinkedIn users. If they took this phishing method to another network like Facebook, it could get even more obnoxious—imagine if Sell Hack could unearth phone numbers through Facebook, for instance. Great for marketers, terrible for nearly everyone else.
But Kujawa emphasized that Sell Hack wasn’t breaking any laws. “While this is ‘technically’ legal—advertisement and marketing companies do in-depth searches for leads based on open source information all the time—the app itself might be dangerous to users if it is reporting personal information about the user and their contacts back to the Sell Hack database,” he said. “From a non-legal but highly annoying standpoint, these email addresses and namely the database Sell Hack uses could be sold to spam pushers, increasing the amount of spam users receive in their inbox—even if they have never used that email for anything more than a log-in.”
Kujawa doesn’t think Sell Hack is using a glitch in LinkedIn’s code to do this information phishing (which is why it’s not illegal), but noted that the way the company streamlines the information-hunting is what makes it so insidious.
Of course, LinkedIn gives users who sign up for its premium service a chance to send messages to other users’ inboxes via InMail, but this is something more users are aware of when they sign up for the service.
Illustration by Jason Reed