Sunday, October 12, 2014

Creepy visitor tracking using Linkedin

A few days ago I performed an experiment and added the following code to my blog:
<img src="https://www.linkedin.com/profile/view?authToken=zRgB&authType=name&id=98261032" />
Link in the code snippet points to my Linkedin profile and those familiar with web security will recognize the CSRF here (and the token apparently isn't validated correctly).
So how did the experiment unfold? Anyone who visited my blog also involuntary visited my Linkedin profile. It turns out that around 35% of blog visitors were also logged in to their Linkedin accounts while browsing the Web and my Linkedin profile received more than 800 "profile views" with details about these visitors:


So a little advice - if you prefer privacy don't forget to sign out of your Linkedin account before browsing the Web.