Inspired by the big news that Microsoft is about to acquire LinkedIn here, and due to my past history as a privacy and security advocate in Microsoft Excel team, I thought it would be important to share with you a privacy bug in LinkedIn API and a possible violation to section 2.13 of their Privacy Policy here.
According to section 2.13 of LinkedIn privacy policy: “Companies and other entities can create pages on our Services. If you follow one of these pages, non-identifiable information about you will be provided to the page’s administrators.“. Well, today I will show you how any person and (not only administrators) can automatically extract such data, and potentially “harvest” user profiles by their engagements in any company pages.
I found this bug while I was working on this blog post. I wanted to share it with you today, after a recent response from LinkedIn, stating that the issue is an expected behavior, and not a bug.
So LinkedIn and I can agree to disagree. I still think that the issue that I will share with you in a minute is a bug, and IMHO a serious one as it allows hackers to extract data about LinkedIn users who liked or commented on ANY company’s specific update via the LinkedIn API and without the company’s permissions.
For example, here is a screenshot from an Excel workbook that takes advantage of the specific bug to extracts from LinkedIn 100 personal names, their professional headline, and LinkedIn object ID that can lead to additional personal data such as their location.
The hundred users above liked a specific Microsoft status update on LinkedIn (these are 100 users out of a total 2769 users who liked the specific update below). The status update below was arbitrarily selected. You can extract this information from any other company update on LinkedIn.
Now, as you can imagine, I don’t have any access as an administrator to Microsoft company page, so it seems “unfair” to allow me to read this data, or even worse, to allow potential abuse of such data by the company’s competitors or hackers.
You may argue, that this data should be public to anyone, as it is public to users who browse company pages in LinkedIn, but I will show you below a proof that LinkedIn intended to block this data from users who are not company page administrators.
As for company adminsitrators, it does make sense to allow them to extract such data to monitor engagement and to learn more about their audience. But right now, with the bug I will share with you, anyone can use a fake company in LinkedIn and “harvest” users by their likes and comments on companies’ updates.
Now let’s drill down to the bug itself.
Continue reading “Privacy Bug in LinkedIn API – Demonstarted with #PowerQuery #Excel and #PowerBI”