Date: Tue, 19 Jan 2010 01:06:54 +0545
From: Bipin Gautam <bipin.gautam@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Cc: nepsecure <nepsecure@...glegroups.com>, itpolicy-np <itpolicy-np@...ai.com>
Subject: Linkedin shared complete "personally identifiable
	data" to third party websites

(This is a 15 day old news, some of you already know...0-day for few :)

Hint : It looks like, not ALL linkedin back-end servers are updated still!

Last year DIA[1] run into an almost similar problem but the problem of
Linkedin is worst among all.

Facebook doesnt have this problem (but we all know whats its all about
hahaha ;). BUT, one must not mis-understand only social networking
website can run into this problem. ANY website, be it news forum,
Blog, discussion board, websites that run
entertainment portal or virtually any website is susceptible to this problem.

Other social networking website zorpia.com(uses google-analytics.com),
hi5.com & netlog.com(uses quantserve.com), myspace.com(minor only,
insignificant) etc DO seem to include such third party JS as such, but
as i dont use any of these websites i havent had a chance to look into
it deeply from a possible privacy impact analysis. But it looks like
the worst website could be www.perfspot.com (consist of 2-3 third
party JS)

But, i strongly believe problem like this is quiet common through the
Internet in manyyy websites than one may seem expect......... :)


[1]Defense Intelligence Agency Fixes Risky Web Site Code:
http://www.informationweek.com/news/security/government/showArticle.jhtml?
articleID=211800622

------------------------------
Background:
 If a Web site includes third-party JavaScript , advertisement
scripts, [or] banners called from third-party servers, the Web site is
at risk of having to rely on the third party as well for overall
security assurance of its Web site. They can be used to "profile" a
users machine.

 "Traffic tracking beacon" are generally java-script used almost
everywhere[1] and the service claim to collect "anonymous data" only.
But, if left without any careful evaluation web-developers risk
leaking "complete user activity" to all/any  "personally identifiable
details" possible to such services!

Further, the problem is worsen as "tracking beacon" are found
throughout the Internet so if personally identifiable details are
leaked from one trusted website, all other  "anonymous data" collected
on you by the beacon-service can be de-anonymized. Sadly, most
web-developers dont realize this risk.

Further, there is no guarantee two different companies that provide
"beacon-service" may not share their "anonymous" data to each-other?
Further, beacon-service providers try to stay low profile by providing
"the same service" under multiple domain names making it difficult to
keep an up-to-date block list to protect your privacy.

Linkedin.com, for example shared information like page URL, the
referring page, and the page title, screen resolution etc to its
web-beacons (see packet capture log). Although the service provider
claimed no personally identifiable information is being collected, if
you look into it carefully, it is another story.

[1] http://news.ghostery.com/post/134968375/top-10-web-analytics-trackers-on-the-web


---ADVISORY---

Linkedin shared your complete "personally identifiable details" with
third party facilitating a detailed real-time spying by an untrusted
party over you.

Some of the information that gets leaked into its web-beacons,
pixel.quantserve.com and scorecardresearch.com are:

- Page Title
- Groups/topics you visit / own
- your personal interests (behavior profiling)
- time of your visit & frequency (on a particular topic)
- questions and answers you participate on
- the profiles you visit
- your search results
- your contact list
- the number of email you receive/sent

and lot of things which can be correlated and intersected to get the
bigger picture.

So, for example... if you login into linkedin and click "edit profile"
the beacon will have an "anonymous" information about someone has
clicked "edit profile" in linkedin. But, now if you click view
profile... your name is displayed in top of page -- which is the
"windows title". Doing so, both your unique linkedin ID and the window
title thats displaying your "name" GETS TRANSFERED TO
scorecardresearch.com. Now, if you visit any group both the group name
(as title window) and group ID is leaked. If you are just visiting a
group with a few users, it will leak your membership in the group and
you. Now if you click "contacts", scorecardresearch.com could know you
are browsing your linkedin address book. Now if you click on to a
profile there immediately, this activity will leak the profile you are
visiting right now is in your friend list. (example: you may be
visiting someones profile more than usual, and that info is leaked) If
you receive a new email profiling may even leak from "WHO" you
received the email and so on................

All such information from linkedin.com was being collected by
"scorecardresearch.com" and "quantserve.com" due to negligence of
linkedin.com. People with "security clearance" also login to linkedin,
so linkedin.com should take it into account as well when it chooses
any new practice.

This way, the third party can mine your identity to all personal
details possible in linkedin far better than someone in your contact
list and can track your "activity" on its affiliated domains and
partners websites and throughout the Internet as if you are in some
kind of 24x7 reality TV. Technically, i prefer to call such a service
as "super-cookie".

# (i think) Any "software feature" that can serve as a super-cookie
should be illegal as its a back door to breach our privacy........

Super cookie can be flash cookie, WMP had something like that, FF use
to send anonymous UID as crash log, CSS are risky, software/updates
can give away your machine identity via similar profiling and a lot of
things i have said elsewhere......

This day, you can easily track a computer/identity REGARDLESS OF ITS
IP ADDRESS ON THE INTERNET, for most technology like TOR will only
give FALSE SENSE OF PRIVACY due to such web practices.

Moral lesson : http://www.consumeraffairs.com/news04/2010/01/rockyou.html

Also, linkedin dont have a "delete email" feature [1] in your inbox so
that maybe it can (had) avoid talking about any "data retention
policy" once the user has deleted his email from his inbox?

This also gives the ability (opportunity) for your employer to snoop
into your inbox (if you are logging in from office network) to keep
track of "who is contacting you" without your current employer (or say
tracking software) having to worry you may have accessed your linkedin
email in home from a potential employer and deleted the mail?

In linkedin, i dont see how the end users have control of their data.
Lately, I wanted to delete a personal email received in my inbox in
linkedin and discovered linkedin stores my "intellectual property" [2]
for ever.........

[2] http://www.linkedin.com/static?key=pop_privacy_policy_summary
In Section 1, we added a new paragraph under the heading “Consent to
LinkedIn Processing Information About You”, we remind you that certain
information you disclose on LinkedIn may reveal aspects of your
private life and about you, and that, in joining LinkedIn, you are
consenting to the terms of the user agreement and the privacy policy
in all respects. While you have the right to withdraw that consent,
your withdrawal will not be retroactive.

In Section 1, we added a paragraph under the heading “Rights to
Access, Correct and Eliminate Information About You”, we explain that
you have the right to update or eliminate information about you, but
that a copy of the original information provided may be kept by
LinkedIn.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists