LinkedIn AutoFill plugin bug left user data exposed

The flaw, now patched, could have allowed attackers to steal personal data undetected

code

An AutoFill plugin offered to LinkedIn members was affected by a bug that could have allowed an attacker to steal users' personal data.

The feature, which is offered to paying customers of LinkedIn's Marketing Solutions, allows a user to fill a website's form with their personal information, such as name, email address, phone number and place of work, at the click of a button.

If any of the websites compatible with the plugin contained a cross-site scripting (XSS) flaw that enabled an attacker to run malicious code, it would allow them to exploit the domain and steal any profile data the sites would retrieve from the user.

The flaw, which has now been patched according to LinkedIn, was flagged by teenage white hat hacker Jack Cable, who reported the vulnerability to LinkedIn and created a Proof of Concept demonstration to show how an attacker could run code to steal user data.

Although LinkedIn claims its AutoFill plugin was only compatible with domains it had whitelisted, Cable demonstrated that any website could have been a source of abuse until early April, when a patch was first applied.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The patch, put into action on 10 April, according to Cable, restricted AutoFill to whitelisted sites only. But the bug remained in the plugin until a second patch was applied on 19 April.

LinkedIn said in a statement: "We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly.

"While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.

"For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."

Image credit: Bigstock

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020