LinkedIn bug allowed private data to be stolen from profiles

Fresh off of signing the multi-corporation Cybersecurity Tech Accord, Microsoft's newly acquired LinkedIn platform is under fire for some recent discoveries by Jack Cable.

According to the white hat hacker, LinkedIn's popular AutoFill feature and a cross-site scripting (XSS) vulnerability may have allowed external sites to stealthily harvest private user data. Generally, the AutoFill feature will only function on specifically whitelisted sites, filling in information pulled from the user's profile such as the user's name, email address, phone number, location, and job history. This information can then be transferred into an application form on an external whitelisted site. Having your domain whitelisted is simple and has been available for years to anyone using the LinkedIn's Marketing Solutions.

The exploit operates by essentially making the AutoFill button invisible and made to span the entire page, thereby causing any click on the page to register as an AutoFill trigger, sending all data requested to the site. In addition, a security compromise in any of the sites whitelisted by LinkedIn could lead to collected data being sent to malicious parties.

After the report came to light, LinkedIn issued the following statement to TechCrunch:

We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.

For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile.

For full details of the hack and how it operates, see Jack Cable's extensive write up at Lightning Security.

Source: Lightning Security, TechCrunch | Image via Shutterstock

Report a problem with article
Previous Story

Amazon lets you create Alexa Skills with Alexa Skill Blueprints

Next Story

HoloLens Insiders start getting Windows 10 build 17134 as RS4 release candidate

2 Comments - Add comment

Advertisement