A flaw in LinkedIn’s autofill plugin could allow hackers to steal your full name, phone number, email address, ZIP Code, company and job title. Malicious sites have been able to invisibly render the plugin on their entire page so if the users who are logged into LinkedIn click anywhere they will be completing a hidden autofill which is giving up the data.
A security researcher named Jack Cable originally discovered the issue on April 9th and immediately disclosed it to LinkedIn. The company issued a fix which restricted the use of autofill feature to the whitelisted sites who pay LinkedIn to host their ads still left it open to abuse.
Mr Cable also confirmed that hackers can still run the autofill on their sites by installing an iframe to the vulnerable whitelisted site.
LinkedIn told TechCrunch it doesn’t have evidence that the weakness was exploited to gather user data. But Cable says “it is entirely possible that a company has been abusing this without LinkedIn’s knowledge, as it wouldn’t send any red flags to LinkedIn’s servers.”
When Mr Cable has set up a LinkedIn signup page he was able to extract his email address even though it was kept private.
“It seems like LinkedIn accepts the risk of whitelisted websites (and it is a part of their business model), yet this is a major security concern,” Cable wrote to TechCrunch.
A spokesperson from the LinkedIn advised –
“We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them”.
Take your time to comment on this article.