According to the white hat hacker, LinkedIn's popular AutoFill feature and a cross-site scripting (XSS) vulnerability may have allowed external sites to stealthily harvest private user data. Generally, the AutoFill feature will only function on specifically whitelisted sites, filling in information pulled from the user's profile such as the user's name, email address, phone number, location, and job history. This information can then be transferred into an application form on an external whitelisted site. Having your domain whitelisted is simple and has been available for years to anyone using the LinkedIn's Marketing Solutions.
The exploit operates by essentially making the AutoFill button invisible and made to span the entire page, thereby causing any click on the page to register as an AutoFill trigger, sending all data requested to the site. In addition, a security compromise in any of the sites whitelisted by LinkedIn could lead to collected data being sent to malicious parties.
After the report came to light, LinkedIn issued the following statement to TechCrunch:
We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.
For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile.