For your security, Read this article carefully !

 

 

Intro

LinkedIn is one of the top largest social media, LinkedIn operates the world’s largest professional network on the Internet with more than 467 million members in over 200 countries and territories. 

 

LinkedIn Privacy 

Have you ever noticed that your LinkedIn email is visible to your connections! and there is no privacy option to hide it.

Refering to this article Managing Your Account and Privacy Settings , there is no option to hide your email, This also goes for your Birthday !

 

LinkedIn divides users into groups (Relationship):

- Connections : Your Friends.

- 2nd : Friends of Friends

- 3rd : Other users, mostly friends of friends of friends ..... 

 

Your email address is always available for your connections, If you want to view one of your LinkedIn connection's email, open his profile and click " Contact Info

 

 

You will get his email address and other social information such as Twitter, Website, IM ... etc ( If where added by the user)  

 

The Bug

As a security researcher, i was checking LinkedIn privacy and i noticed there is no option to change email privacy settings! 

After doing few browsing steps, i found that my email is available to my connections, they can get it by clicking my "Contact Info" in my profile. I checked this with my connections and yes i got their emails. I tried to see if i can get my 2nd and 3rd connections but for most of them it cant be ( success to get few of them), cant be because it either "contact info" button does not exist or their emails are not listed in contact info area. 

 

The Exploit

Shorten words, I success manipulating LinkedIn to get (SOME) 2nd and 3rd emails and birthdays ( Keep reading to know why i'am NOT writing the exploit steps) 

Most of 2nd and 3rd connections failed to get their emails. 

 

Security Report

Directly, i submitted this bug to LinkedIn Security Team, "Markul" the security guy replied saying that its not a bug, if user synced his email address, his email will be available to his saved contacts.  

 

Article : https://www.linkedin.com/help/linkedin/answer/3026

That above article sent in "Markul" reply did not answer my question, Furthermore he stopped replying back. 

Searching google i found this article : https://www.linkedin.com/help/linkedin/answer/43372/saving-connections-and-profiles-in-linkedin-contacts?lang=en

Saving Connections and Profiles in LinkedIn Contacts
 
Synced contacts and 1st-degree connections can all be added to your LinkedIn Contacts.
 
- 1st-degree connections are automatically saved to your Contacts when you connect to them.
- Contacts in email address books and other sources are saved when you sync them.

 

Anyway i did not find an answer for my question which is : 

If 2nd user synced his contacts, why his email is hidden in "Contact Info" area, while i can get his email and birthday by manipulating codes!! 

 

This YouTube Video Shows Getting 2nd connection "Haneen" email address while her email is not shown in her profile contact info area. 

Me and Haneen do not know each other, we never emailed either we know each other emails. 

 

 

My recommendation is to protect your email address by using  2-Step Verification

 

After reading this, What do you think guys? type your opinionin comments.