Update 4/1/14: Sell Hack developers issued a statement on their blog acknowledging LinkedIn’s cease and desist request and have deactivated the plug-in temporarily while they tweak it to conform to the social media platform’s terms of service.
The statement reads in part:
We learned a lot in the last 24 hours which calls for a more analytical retrospect. For the sake of this post I’m going to stick to bullets as there is a lot to communicate and we had more signups today than in our first 60 days combined!
– We received a C&D letter from LinkedIn on 3/31.
– This is not an April Fools hoax.
– SellHack plugin no longer works on LinkedIn pages.
– We only processed publicly visible data from LinkedIn based on your profile permissions…all of which has been deleted.
– LinkedIn stated: “No member data has been put at risk as a result of Sell Hack.”
– We are building a better product that does not conflict with LinkedIn’s TOS.
* * *
The BBC is reporting that Sell Hack, a free plug-in extension for Chrome, Firefox, and Safari browsers, can then reveal the email address associated with a LinkedIn account even if the user is not connected the persons’ profile they are viewing.
When installed on the browser, the application adds a “hack in” button display when users view LinkedIn profiles, and clicking the option allegedly will allow the user to see the email address associated with the account.
But does the application really “hack in” to the LinkedIn account as inferred, or is something else at play?
According to Sell Hack’s website, “the data we process is all publicly available. We just do the heavy lifting and complicated computing to save you time. We aren’t doing anything malicious to the LinkedIn website. We think browser extensions are the best way to personalize an individuals web experience. We love LinkedIn and are trying to make it better for the community.”
And that is likely the case, according to Yahoo columnist Alyssa Bereznak, who writes that the application reveals the account holders email address “by running through an algorithm while you’re on a person’s LinkedIn page. The algorithm checks publicly available data to produce that person’s email address, or at least its very best guess.”
This is why any times the application does not work as designed, revealing no email address at all, according to Graham Cluley, who tested the application and found “that in the majority of occasions Sell Hack failed to reveal any email addresses for the profiles I tested it against. This was especially true when the profiles I attempted to find email addresses for weren’t public figures, like CEOs of major organisations.”
Nonetheless, LinkedIn is apparently taking the matter very seriously, telling the BBC “we are doing everything we can to shut Sell Hack down. On 31 March LinkedIn’s legal team delivered Sell Hack a cease-and-desist letter as a result of several violations. LinkedIn members who downloaded Sell Hack should uninstall it immediately and contact Sell Hack requesting that their data be deleted.”
Why all the fuss if the Sell Hack does not compromise LinkedIn’s security? Apparently when the plug-in is installed, users must grant it permissions which allow the software to monitor users’ activity and harvest data.
“The catch is, even after you’ve used SellHack, the extension is able to watch your activity on the site and collect the information of any direct connection whose page you’ve decided to visit,” wrote Bereznak. “What it’s using this information for is unclear.”
LinkedIn agrees this is the concern, stating that “often times, as with the Sell Hack case, extensions can upload your private LinkedIn information without your explicit consent.”
So, use Sell Hack at your own risk.