Step-by-step how to deanonymize emails on LinkedIn

We have previously talked about LinkedIn having an endpoint for Outlook profile cards. This endpoint is receiving email addresses as input and returns the complete profile information (name, company, location, etc.). These sorts of APIs can be abused for OSINT.

To reproduce the set-by-step tutorial your will need an Outlook account (@hotmail.com, @live.com or outlook.com email), the latest version of ZAP and our WebSocket plugin.

Step-by-step how to deanonymize emails on LinkedIn

We have previously talked about LinkedIn having an endpoint for Outlook profile cards. This endpoint is receiving email addresses as input and returns the complete profile information (name, company, location, etc.). These sorts of APIs can be abused for OSINT.

To reproduce the set-by-step tutorial your will need an Outlook account (@hotmail.com, @live.com or outlook.com email), the latest version of ZAP and our WebSocket plugin.

Linking your Outlook profile to LinkedIn

Any personal outlook email can access this functionally. Including free accounts. You need to place your cursor on either the name or the avatar of any sender. An information card should pop-up. Go to the LinkedIn tab and click “Connect”. Follow the OAuth authentication flow on linkedin.com. Once complete the LinkedIn tab should display some information about the sender.

Authorization page on LinkedIn

Grabbing a valid session token

Linking both Outlook and LinkedIn profile will grant you a Bearer token. This token will not be refreshed frequently. To see this token you will need ZAP and our WebSocket decoding plugin. It is available for download at : https://github.com/GoSecure/zap-autodecode-view/releases/tag/version-1.0.0

ZAP Autodecode plugin

To initiate the WebSocket communication, you must click on one sender to display its LinkedIn card.

You will be able to see at least one WebSocket query starting with “{« Key »: »34″, »Url »: »https://sfnam.loki.delve.office.com/api/v1/linkedin/profiles/full[…]”.

Copy the content of this JSON payload to a file name “token.txt”. Make sure it contains at least “Bearer” followed by a large random string. You are now ready to use the script!

Automating profile queries

Place the emails you want to test in a file. We will call it “email_list.txt”. Keep in mind that there is limit of approximately 1000 emails queries per day per LinkedIn account (token).

Next, you need to obtain a copy of the proof-of-concept script at https://github.com/GoSecure/linkedin-osint.

Executing the tool will look like this:

> cat email_list.txt
*******@yahoo.com
*******@gmail.com
*******@hotmail.com
*******@libero.it
*******@hotmail.com
*******@soton.ac.uk
*******@hotmail.com
*******@inmovement.org
*******@hotmail.com
 >python outlook_http_client.py samples_demo.txt > profiles_demo.json
[+] *******@yahoo.com: Not Found
[!] Nb failures: 1
[+] *******@gmail.com: Found
[+] Summary: Paul *******, "Attorney and Counsel" at "*******", "Waltham, Massachusetts, United States"
[+] *******@hotmail.com: Found
[+] Summary: David *******, "Engineering Specialist*******" at "*******", "Greater McAllen Area"
[+] *******@libero.it: Found
[+] Summary: antonio *******, "******* Professional" at "*******", "Naples, Campania, Italy"
[+] *******@hotmail.com: Not Found
[!] Nb failures: 1
[+] *******@soton.ac.uk: Found
[+] Summary: Tom *******, "Student *******" at "", "Southampton, England, United Kingdom"
[+] *******@yahoo.com: Found
[+] Summary: Madhukar *******, "Financial Crimes*******" at "*******", "New York City Metropolitan Area"
[+] *******@inmovement.org: Not Found
[!] Nb failures: 1
[+] *******@hotmail.com: Found
[+] Summary: Shaun *******, "Strategic *******" at "*******", "Bismarck, North Dakota, United States"

Tool output. Emails are masked to avoid targeting specific user.

General information about the queries is displayed in the error output stream. The standard output stream includes the profile details. In the example above the information is stored in “profiles.json”. The file content will look as follows:

*********@gmail.com|{"displayName":" ********* ","headline":" ********* ", "companyName":" ********* ", "companyLocation ":"", [...]

Profile information returned. Information is not masked when using the tool.

Conclusion

This concludes our tip on how to find LinkedIn profiles associated to an email. If you are doing this process with huge list of emails or repeatedly, the endpoint will return an empty profile to any queries once the maximum number of queries is reached for the day. This is the reason the script will stop after ten consecutive failures by default.

Step-by-step how to deanonymize emails on LinkedIn

Linking your Outlook profile to LinkedIn

Grabbing a valid session token

Automating profile queries

Conclusion

Search

Categories

Recent Posts

Ce que nous faisons

Compagnie

SIÈGE SOCIAL MONDIAL

Rejoignez plus de 200 000 leaders de la sécurité

Inscrivez-vous à nos communications pour recevoir les dernières nouvelles, nos événements, des ressources utiles et en apprendre plus.

Adresse courriel

Cyberrisques

Sociétés de financement par capitaux propres

Sécurité des données sensibles

Conformité en matière de cybersécurité

Cyberassurance

Rançongiciels

Attaques de type « zero-day »

Consolider, évoluer et prospérer

GoSecure Appoints Eric Rochette to Chief Technology Officer (CTO)

Maximizing Employee Protection by Rethinking Expectations of Phishing Awareness and Email Security

Hack to the future: The Attack Surface of GPS Signals

Phishing may have just become a lot harder to detect…

Combating Advanced Cyber Threats: GoSecure’s Proactive Defense Against the Ivanti Connect Secure VPN Breach

Obtenez une démo

Créez une soumission

Devenez partenaire