Updated 05/23/20013 - Added periodically updated sample to demonstrate – Added new post on how to disable – made minor clarifications.
If you’re viewing this page and you also happen to be logged in to LinkedIn, you probably just gave me your first name, last name, company name, and position.
A devious website’s paradise:
Profile Stats allow you to see which LinkedIn members have viewed your profile recently. As you can see in the provided image, 19 people have viewed my LinkedIn.com profile in the last 90 days. And if I click through, I can see a list of all those people who have viewed my profile:
One thing you may have noticed right away is that much information is redacted from this record… but don’t worry, LinkedIn has a solution! For a low monthly fee, I can become a premium LinkedIn subscriber; The redacted information becomes available, and the full name, company and position name of the people who have viewed your profile is now available for your viewing pleasure.
But why is this feature dangerous?
Perhaps you’re okay with LinkedIn sharing your name and company with the profiles you view on their service… that makes sense. But what about no-name random websites like mine?
The most awesome part of LinkedIn’s feature is that it’s enabled by default, so all I have to do to get your information is get you to view my Profile on LinkedIn… then I’ll see who you are.
The easiest way to do that is to simply have you load it in an invisible iframe or image tag. To test this, I created a LinkedIn account and requested the profile from an image tag right here:…. Did you see anything? Nope. I hid it from you, but LinkedIn was still loaded on your behalf. Really! Look at the HTML source of this page, and you’ll see what I’m talking about.
So, for 1 line of common HTML code and a premium LinkedIn account, I can see your first name, last name, company name, position, and anything else you’ve shared publicly on LinkedIn, as long as you were logged in. When was the last time you logged out of LinkedIn? I swear they have the worlds longest cookie expiration, so it seems like I sign in once a year.
Now here’s the scary thing – how many other websites, both malicious and legitimate, have figured this out? Who knows far more about you than they should?
It is true that there are some technical challenges in correlating the actual web request with your individualized visit. The more heavily trafficked a website, the more difficult it would be to tie an individual name to an individual web request. But in my opinion, the damage is done: Some of my personal information may be available, whether I can be tied to a specific IP address or not.
I discovered this scary feature after reviewing some technical requests made by 3rd party software my company uses. The company who I saw using it will remain unnamed and anonymous, as I don’t believe it was being used maliciously, and I found their usage of LinkedIn’s feature to be ingenious, albeit scary. This highlights the increasing complexities of trusting large organizations with your data. While I’m okay with being part of the LinkedIn professional network, I’m not okay with them offering my personal information to websites I visit, all for one low monthly fee.
Can I turn this off feature off?
Yes! More here!
Update #2: What you can see without a premium subscription
So it turns out, even without a premium subscription I’m seeing some interesting things. Often I’ll see a company name and position, but no first and last name. For instance, I know that ”Media Producer” with Thompson Reuters just viewed the blog post about 10 minutes ago, as did an Officer with the Dept. of Homeland Security. Since I haven’t purchased a premium LinkedIn account, I don’t have more details… but even that information is pretty interesting. LinkedIn has also told me an Engineer from Adobe has viewed my profile, as well as several Professors at Universities around the world.
Very interesting! And scary.
Update #3 A sample of people that are viewing this page
I thought I’d be cool to periodically update a sample list with people viewing this page. No first and last names, of course. You can see it here. I think I’ll update it throughout the day of Thursday, May 23rd.