A few days ago, Brian Krebs wrote a blog post that details a method of obtaining the LinkedIn e-mail addresses of its existing users. The method exploits the way LinkedIn connects people. When you make a new LinkedIn account, you are allowed to upload a list of e-mail addresses, and if any of those e-mails matches the e-mail of a LinkedIn user, LinkedIn will show you the profiles of those users.
The problem is that LinkedIn has no way of knowing if you actually know the individuals on your list. This allows spammers to harvest e-mails by uploading a list of e-mail addresses that potentially belong to celebrities. Because many people user their real names in their e-mail addresses, it isn’t surprising that at least some guesses are correct.
This exploit clearly highlights the danger in placing too much trust in a social network. Cory Scott, the director of information security at LinkedIn, says nothing the company does can prevent users from using this type of attack.
I believe Scott is completely wrong. The company has full control over what they do with user’s e-mails. LinkedIn could, for example, give the e-mail address of the person who uploaded the contact list to every potential invitee. They could then ask the invitee to approve the request to be contacted based on whether they know the e-mail address of the inviter. If they deny the request, LinkedIn could withhold knowledge that the invitee is even a member on their network from the inviter, thus making it impossible to determine whether an invitee declined a request or simply doesn’t exist on the network. This vulnerability only exists because LinkedIn gives inviters too much information on other users. My guess is, although such a model would protect the privacy of their members, it would also make it more difficult for people to send invitations, which the company does not want. If LinkedIn really wanted to do something about the problem, they could.
So how do you protect yourself from having your e-mail guessed? One option is to simply not trust LinkedIn with an important e-mail. Instead of giving them an important e-mail address that you cannot afford to have guessed by the public, give them an e-mail address that is used only on LinkedIn. If your e-mail address is compromised, you wouldn’t have lost very much. If you need to actually check the LinkedIn-only e-mail for messages, you can use an e-mail client like Thunderbird or automatically forward all the e-mails to another e-mail account if your e-mail provider offers that feature.