Step-by-step how to deanonymize emails on LinkedIn

by | May 27, 2021

We have previously talked about LinkedIn having an endpoint for Outlook profile cards. This endpoint is receiving email addresses as input and returns the complete profile information (name, company, location, etc.). These sorts of APIs can be abused for OSINT.

To reproduce the set-by-step tutorial your will need an Outlook account (@hotmail.com, @live.com or outlook.com email), the latest version of ZAP and our WebSocket plugin.

Step-by-step how to deanonymize emails on LinkedIn
Step-by-step how to deanonymize emails on LinkedIn
We have previously talked about LinkedIn having an endpoint for Outlook profile cards. This endpoint is receiving email addresses as input and returns the complete profile information (name, company, location, etc.). These sorts of APIs can be abused for OSINT.

To reproduce the set-by-step tutorial your will need an Outlook account (@hotmail.com, @live.com or outlook.com email), the latest version of ZAP and our WebSocket plugin.

Linking your Outlook profile to LinkedIn

Any personal outlook email can access this functionally. Including free accounts. You need to place your cursor on either the name or the avatar of any sender. An information card should pop-up. Go to the LinkedIn tab and click “Connect”. Follow the OAuth authentication flow on linkedin.com. Once complete the LinkedIn tab should display some information about the sender.
stepbystep-deanonymize-linkedin-image-1
Authorization page on LinkedIn

Grabbing a valid session token

Linking both Outlook and LinkedIn profile will grant you a Bearer token. This token will not be refreshed frequently. To see this token you will need ZAP and our WebSocket decoding plugin. It is available for download at : https://github.com/GoSecure/zap-autodecode-view/releases/tag/version-1.0.0

stepbystep-deanonymize-linkedin-image-2
ZAP Autodecode plugin
To initiate the WebSocket communication, you must click on one sender to display its LinkedIn card.
stepbystep-deanonymize-linkedin-image-4
You will be able to see at least one WebSocket query starting with “{“Key”:”34″,”Url”:”https://sfnam.loki.delve.office.com/api/v1/linkedin/profiles/full[…]”.
stepbystep-deanonymize-linkedin-image-3
Copy the content of this JSON payload to a file name “token.txt”. Make sure it contains at least “Bearer” followed by a large random string. You are now ready to use the script!

Automating profile queries

Place the emails you want to test in a file. We will call it “email_list.txt”. Keep in mind that there is limit of approximately 1000 emails queries per day per LinkedIn account (token).

Next, you need to obtain a copy of the proof-of-concept script at https://github.com/GoSecure/linkedin-osint.

Executing the tool will look like this:

> cat email_list.txt
*******@yahoo.com
*******@gmail.com
*******@hotmail.com
*******@libero.it
*******@hotmail.com
*******@soton.ac.uk
*******@hotmail.com
*******@inmovement.org
*******@hotmail.com
 >python outlook_http_client.py samples_demo.txt > profiles_demo.json
[+] *******@yahoo.com: Not Found
[!] Nb failures: 1
[+] *******@gmail.com: Found
[+] Summary: Paul *******, "Attorney and Counsel" at "*******", "Waltham, Massachusetts, United States"
[+] *******@hotmail.com: Found
[+] Summary: David *******, "Engineering Specialist*******" at "*******", "Greater McAllen Area"
[+] *******@libero.it: Found
[+] Summary: antonio *******, "******* Professional" at "*******", "Naples, Campania, Italy"
[+] *******@hotmail.com: Not Found
[!] Nb failures: 1
[+] *******@soton.ac.uk: Found
[+] Summary: Tom *******, "Student *******" at "", "Southampton, England, United Kingdom"
[+] *******@yahoo.com: Found
[+] Summary: Madhukar *******, "Financial Crimes*******" at "*******", "New York City Metropolitan Area"
[+] *******@inmovement.org: Not Found
[!] Nb failures: 1
[+] *******@hotmail.com: Found
[+] Summary: Shaun *******, "Strategic *******" at "*******", "Bismarck, North Dakota, United States"
Tool output. Emails are masked to avoid targeting specific user.
General information about the queries is displayed in the error output stream. The standard output stream includes the profile details. In the example above the information is stored in “profiles.json”. The file content will look as follows:
*********@gmail.com|{"displayName":" ********* ","headline":" ********* ", "companyName":" ********* ", "companyLocation ":"", [...]
Profile information returned. Information is not masked when using the tool.

Conclusion

This concludes our tip on how to find LinkedIn profiles associated to an email. If you are doing this process with huge list of emails or repeatedly, the endpoint will return an empty profile to any queries once the maximum number of queries is reached for the day. This is the reason the script will stop after ten consecutive failures by default.
Titan Managed Detection & Response
Next-Generation Antivirus
Endpoint Detection & Response
Network Detection & Response
Inbox Detection & Response
Insider Threat Detection & Response
Managed Firewall
Managed SIEM
Vulnerability Management as a Service
GoSecure Titan
Titan Software
Secure Email Gateway
Web Security
ResponderPRO Forensics Toolkit
Advisory Services
Breach Readiness Services
Custom Cybersecurity Consulting Services
Cybersecurity Assessment
Incident Response Services
Red & Purple Team Services
Penetration Testing Services
Privacy & Compliance Services
Security Compromise Assessment
3rd Party Technology

Pin It on Pinterest

Share This