Logo on LinkedIn wall

Logo on LinkedIn wallOne of the things that makes LinkedIn such a useful business tool for so many people is the ability to see who has visited your LinkedIn profile. Not only does this let you see what kind of searches are leading people to your profile, but it gives the savvy social media-connected individual a source of potential leads without having to go out and find them.

But what if I told you this feature could also be used to easily identify many of the visitors to a website, stripping away the tiny layer of anonymity we have left while surfing the internet?

According to Andris Atteka, he was able to determine the identity of 35 % of his website’s visitors by including a simple piece of html code in his website which essentially spoofed LinkedIn into believing that the visitor was actually viewing Andris’ LinkedIn profile, thus recording the profile view of the website visitor who was also logged in to LinkedIn at the time of the visit.

So how did the experiment unfold? Anyone who visited my blog also involuntary visited my Linkedin profile. It turns out that around 35% of blog visitors were also logged in to their Linkedin accounts while browsing the Web and my Linkedin profile received more than 800 “profile views” with details about these visitors

Screenshot showing the spike in profile views after implementing the remote code.
Screenshot showing the spike in profile views after implementing the remote code.

Regaining Your Privacy

There are really only two ways of preventing unscrupulous website owners from collecting LinkedIn information from your visit: Log out of LinkedIn (and stay logged out unless you are using LinkedIn) or disable profile view information. Although disabling the “calling card” feature in LinkedIn defeats one of the best features of the social network (and helps set it apart from other networks like Facebook and Twitter), it is really the only way to remain anonymous both on and off of their website until this vulnerability is fixed.