We have previously talked about LinkedIn having an endpoint for Outlook profile cards. This endpoint is receiving email addresses as input and returns the complete profile information (name, company, location, etc.). These sorts of APIs can be abused for OSINT.

To reproduce the set-by-step tutorial your will need an Outlook account (@hotmail.com, @live.com or outlook.com email), the latest version of ZAP and our WebSocket plugin.

Step-by-step how to deanonymize emails on LinkedIn
Step-by-step how to deanonymize emails on LinkedIn
We have previously talked about LinkedIn having an endpoint for Outlook profile cards. This endpoint is receiving email addresses as input and returns the complete profile information (name, company, location, etc.). These sorts of APIs can be abused for OSINT.

To reproduce the set-by-step tutorial your will need an Outlook account (@hotmail.com, @live.com or outlook.com email), the latest version of ZAP and our WebSocket plugin.

Linking your Outlook profile to LinkedIn

Any personal outlook email can access this functionally. Including free accounts. You need to place your cursor on either the name or the avatar of any sender. An information card should pop-up. Go to the LinkedIn tab and click “Connect”. Follow the OAuth authentication flow on linkedin.com. Once complete the LinkedIn tab should display some information about the sender.
stepbystep-deanonymize-linkedin-image-1
Authorization page on LinkedIn

Grabbing a valid session token

Linking both Outlook and LinkedIn profile will grant you a Bearer token. This token will not be refreshed frequently. To see this token you will need ZAP and our WebSocket decoding plugin. It is available for download at : https://github.com/GoSecure/zap-autodecode-view/releases/tag/version-1.0.0

stepbystep-deanonymize-linkedin-image-2
ZAP Autodecode plugin
To initiate the WebSocket communication, you must click on one sender to display its LinkedIn card.
stepbystep-deanonymize-linkedin-image-4
You will be able to see at least one WebSocket query starting with “{“Key”:”34″,”Url”:”https://sfnam.loki.delve.office.com/api/v1/linkedin/profiles/full[…]”.
stepbystep-deanonymize-linkedin-image-3
Copy the content of this JSON payload to a file name “token.txt”. Make sure it contains at least “Bearer” followed by a large random string. You are now ready to use the script!

Automating profile queries

Place the emails you want to test in a file. We will call it “email_list.txt”. Keep in mind that there is limit of approximately 1000 emails queries per day per LinkedIn account (token).

Next, you need to obtain a copy of the proof-of-concept script at https://github.com/GoSecure/linkedin-osint.

Executing the tool will look like this:

> cat email_list.txt
*******@yahoo.com
*******@gmail.com
*******@hotmail.com
*******@libero.it
*******@hotmail.com
*******@soton.ac.uk
*******@hotmail.com
*******@inmovement.org
*******@hotmail.com
 >python outlook_http_client.py samples_demo.txt > profiles_demo.json
[+] *******@yahoo.com: Not Found
[!] Nb failures: 1
[+] *******@gmail.com: Found
[+] Summary: Paul *******, "Attorney and Counsel" at "*******", "Waltham, Massachusetts, United States"
[+] *******@hotmail.com: Found
[+] Summary: David *******, "Engineering Specialist*******" at "*******", "Greater McAllen Area"
[+] *******@libero.it: Found
[+] Summary: antonio *******, "******* Professional" at "*******", "Naples, Campania, Italy"
[+] *******@hotmail.com: Not Found
[!] Nb failures: 1
[+] *******@soton.ac.uk: Found
[+] Summary: Tom *******, "Student *******" at "", "Southampton, England, United Kingdom"
[+] *******@yahoo.com: Found
[+] Summary: Madhukar *******, "Financial Crimes*******" at "*******", "New York City Metropolitan Area"
[+] *******@inmovement.org: Not Found
[!] Nb failures: 1
[+] *******@hotmail.com: Found
[+] Summary: Shaun *******, "Strategic *******" at "*******", "Bismarck, North Dakota, United States"
Tool output. Emails are masked to avoid targeting specific user.
General information about the queries is displayed in the error output stream. The standard output stream includes the profile details. In the example above the information is stored in “profiles.json”. The file content will look as follows:
*********@gmail.com|{"displayName":" ********* ","headline":" ********* ", "companyName":" ********* ", "companyLocation ":"", [...]
Profile information returned. Information is not masked when using the tool.

Conclusion

This concludes our tip on how to find LinkedIn profiles associated to an email. If you are doing this process with huge list of emails or repeatedly, the endpoint will return an empty profile to any queries once the maximum number of queries is reached for the day. This is the reason the script will stop after ten consecutive failures by default.

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Network Detection and Response (NDR)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

LATEST PRESS RELEASE

GOSECURE BLOG

SECURITY ADVISORIES

 24/7 Emergency – (888)-287-5858