Step-by-step how to deanonymize emails on LinkedIn

We have previously talked about LinkedIn having an endpoint for Outlook profile cards. This endpoint is receiving email addresses as input and returns the complete profile information (name, company, location, etc.). These sorts of APIs can be abused for OSINT.

To reproduce the set-by-step tutorial your will need an Outlook account (@hotmail.com, @live.com or outlook.com email), the latest version of ZAP and our WebSocket plugin.

Step-by-step how to deanonymize emails on LinkedIn

We have previously talked about LinkedIn having an endpoint for Outlook profile cards. This endpoint is receiving email addresses as input and returns the complete profile information (name, company, location, etc.). These sorts of APIs can be abused for OSINT.

To reproduce the set-by-step tutorial your will need an Outlook account (@hotmail.com, @live.com or outlook.com email), the latest version of ZAP and our WebSocket plugin.

Linking your Outlook profile to LinkedIn

Any personal outlook email can access this functionally. Including free accounts. You need to place your cursor on either the name or the avatar of any sender. An information card should pop-up. Go to the LinkedIn tab and click “Connect”. Follow the OAuth authentication flow on linkedin.com. Once complete the LinkedIn tab should display some information about the sender.

Authorization page on LinkedIn

Grabbing a valid session token

Linking both Outlook and LinkedIn profile will grant you a Bearer token. This token will not be refreshed frequently. To see this token you will need ZAP and our WebSocket decoding plugin. It is available for download at : https://github.com/GoSecure/zap-autodecode-view/releases/tag/version-1.0.0

ZAP Autodecode plugin

To initiate the WebSocket communication, you must click on one sender to display its LinkedIn card.

You will be able to see at least one WebSocket query starting with “{“Key”:”34″,”Url”:”https://sfnam.loki.delve.office.com/api/v1/linkedin/profiles/full[…]”.

Copy the content of this JSON payload to a file name “token.txt”. Make sure it contains at least “Bearer” followed by a large random string. You are now ready to use the script!

Automating profile queries

Place the emails you want to test in a file. We will call it “email_list.txt”. Keep in mind that there is limit of approximately 1000 emails queries per day per LinkedIn account (token).

Next, you need to obtain a copy of the proof-of-concept script at https://github.com/GoSecure/linkedin-osint.

Executing the tool will look like this:

> cat email_list.txt
*******@yahoo.com
*******@gmail.com
*******@hotmail.com
*******@libero.it
*******@hotmail.com
*******@soton.ac.uk
*******@hotmail.com
*******@inmovement.org
*******@hotmail.com
 >python outlook_http_client.py samples_demo.txt > profiles_demo.json
[+] *******@yahoo.com: Not Found
[!] Nb failures: 1
[+] *******@gmail.com: Found
[+] Summary: Paul *******, "Attorney and Counsel" at "*******", "Waltham, Massachusetts, United States"
[+] *******@hotmail.com: Found
[+] Summary: David *******, "Engineering Specialist*******" at "*******", "Greater McAllen Area"
[+] *******@libero.it: Found
[+] Summary: antonio *******, "******* Professional" at "*******", "Naples, Campania, Italy"
[+] *******@hotmail.com: Not Found
[!] Nb failures: 1
[+] *******@soton.ac.uk: Found
[+] Summary: Tom *******, "Student *******" at "", "Southampton, England, United Kingdom"
[+] *******@yahoo.com: Found
[+] Summary: Madhukar *******, "Financial Crimes*******" at "*******", "New York City Metropolitan Area"
[+] *******@inmovement.org: Not Found
[!] Nb failures: 1
[+] *******@hotmail.com: Found
[+] Summary: Shaun *******, "Strategic *******" at "*******", "Bismarck, North Dakota, United States"

Tool output. Emails are masked to avoid targeting specific user.

General information about the queries is displayed in the error output stream. The standard output stream includes the profile details. In the example above the information is stored in “profiles.json”. The file content will look as follows:

*********@gmail.com|{"displayName":" ********* ","headline":" ********* ", "companyName":" ********* ", "companyLocation ":"", [...]

Profile information returned. Information is not masked when using the tool.

Conclusion

This concludes our tip on how to find LinkedIn profiles associated to an email. If you are doing this process with huge list of emails or repeatedly, the endpoint will return an empty profile to any queries once the maximum number of queries is reached for the day. This is the reason the script will stop after ten consecutive failures by default.

Step-by-step how to deanonymize emails on LinkedIn

Linking your Outlook profile to LinkedIn

Grabbing a valid session token

Automating profile queries

Conclusion

Search

Categories

Recent Posts

What We Do

Company

GLOBAL HEADQUARTERS

Join 200,000+ Security Leaders

Sign up for our communications to receive our latest news, events, helpful assets, and learn more.

Email Subscription

Cyber Risks

Sensitive Data Security

Private Equity Firms

Cybersecurity Compliance

Cyber Insurance

Ransomware

Zero-Day Attacks

Consolidate, Evolve & Thrive

OUR SOC

Proactive Defense, 24/7

GoSecure Appoints Eric Rochette to Chief Technology Officer (CTO)

Large-Scale Spear-Phishing Campaign with Malicious RDP Attachments

From Mainstream to Malicious: How Popular Smartphone Brands Are Used in Cyber Attacks on RDP

Large-Scale Spear-Phishing Campaign with Malicious RDP Attachments

Get A Demo

Build A Quote

Become A Partner