Last night I applied for a job, and there was a link that you can click to allow the website to access your LinkedIn information. I clicked on this. I usually breeze through this because all these applications just want to access your basic information. I entered my password and hit enter when I looked at the screen and realized that I agreed to the following:
iCIMS would like to access some of your LinkedIn info:
YOUR PROFILE OVERVIEW
YOUR FULL PROFILE
YOUR EMAIL ADDRESS
YOUR CONNECTIONS
YOUR CONTACT INFO
NETWORK UPDATES
GROUP DISCUSSIONS
INVITATIONS AND MESSAGES
So I looked up what this meant :
Network Updates - Retrieves and posts updates as you.
Group Discussions - Retrieves and posts group discussions
as you.
Invitations and Messages - Sends messages and invitations to connect as you.
So it seems I gave them access to pretty much every feature except the ability to close my account and/or change the password (which I promptly did.) Woops.
This is a category of dark patterns: have the user click on something that has been benign the last 20 times they've seen something similar, but this time isn't.
> This is a category of dark patterns: have the user click on something that has been benign the last 20 times they've seen something similar, but this time isn't.
This is the nature of OAuth, in which the scopes can be different for many different clients. Not that this makes it any better, you just need to be aware of it. Slideshare do the same thing when you click download - if you verify using linkedin they want access to everything on your linked in profile just so you can download the slides. Ridiculous (even if they're essentially the same company).
Changing your password here is no good, you need to go to linkedin and then your account settings, then third party apps and delete whatever it was you allowed to connect. Despite all the failings of OAuth that's one of the good features about it, you can actually control the access.
Tip: if you're logging in using OAuth (generally when you get redirected to another site to confirm) always check the requested scopes and always remove all the scopes but those essential to the functioning of the calling app/site, which is usually just access to your e-mail address.If you can't disallow certain scopes then try logging in using something else, github, facebook, whatever, and rinse and repeat. If you're still not happy then just signup with a throw away email.
iCIMS would like to access some of your LinkedIn info:
YOUR PROFILE OVERVIEW
YOUR FULL PROFILE
YOUR EMAIL ADDRESS
YOUR CONNECTIONS
YOUR CONTACT INFO
NETWORK UPDATES
GROUP DISCUSSIONS
INVITATIONS AND MESSAGES
So I looked up what this meant :
Network Updates - Retrieves and posts updates as you.
Group Discussions - Retrieves and posts group discussions as you.
Invitations and Messages - Sends messages and invitations to connect as you.
So it seems I gave them access to pretty much every feature except the ability to close my account and/or change the password (which I promptly did.) Woops.
This is a category of dark patterns: have the user click on something that has been benign the last 20 times they've seen something similar, but this time isn't.