TL;DR: LinkedIn email subscription uses no auth token. This means that anyone can manipulate your email subscription without your approval.

To find out how I discover it and other possible implications, read on!

c5fdf0f7704a7934c10febdacd77ca98 

I received a linkedIn request from a fellow entrepreneur to connect. Since I’m mostly inactive on linkedIn, I opened the email and clicked on the unsubscribe link (see below)

wah

The unsubscribe link brings me to the unsubscribe page without authentication. I proceed to click “Save” (See below)

2

Everything went smoothly and my email settings got updated! (See below)

3

But wait! Why are these settings not protected by an authentication token or service?

How anyone can edit your linkedIn email setting:

1. Edit the email subscription url with a different email. (Click here for the email subscription url.)

http://www.linkedin.com/settings/

email-unsubscribe?

id=20008&

mid=224988018&

aid=72gtpjsvfahq7sh&

email=xxx%40gmail%2Ecom& (Edit this part)

eid=-nmd1bo-hqq84r03-4c

2. Paste the edited url into the browser and you will see a new  email setting page. Without authentication. 

By varying the email, anyone can change the email subscription setting without the owner’s approval.

This begs the question:

  1. Why is the email subscription not protected with a security token or sit behind an authentication service? Is the email subscription not part of Linkedin privacy concern?

  2. Which other api of Linkedin are not protected?

  3. How will this affect paid users since (I assume) they rely on email for businesses?