A new vulnerability was discovered in Linkedin’s popular AutoFill functionality where it has been found to be leaking its users’ personal information to third party websites without the knowledge of the user.
LinkedIn has been providing an AutoFill plugin since a long time that are used by other websites to allow the LinkedIn users to easily fill in profile data, including their full name, phone number, email address, ZIP code, company and job title, etc. with just a click.
The AutoFill button normally works on some specific “whitelisted websites,” but it has been revealed by an 18-year-old security researcher Jack Cable of Lightning Security that it was not really that is happening.
Cable found out that the feature was afflicted with an important security vulnerability that likely enabled any website to secretly harvest user profile data without the user knowing about it.
A genuine website will put an AutoFill button near the fields the button can fill, but an attacker can secretly use this feature on his website by changing its properties to spread the button across the entire web page and then make it invisible.
As the AutoFill button is invisible, when the user clicks on anywhere on the website it will trigger AutoFill, thereby sending all of their data to the malicious website.
Let’s see how the hackers can exploit the LinkedIn Flaw:
First the user visits the malicious website that loads the LinkedIn AutoFill button iframe.
The iframe is fashioned in such a way that it takes up the entire page and is invisible to the user.
When the user clicks anywhere on that page, LinkedIn considers this as the AutoFill button being pressed and sends the users’ data via postMessage to the malicious site.
Cable discovered this vulnerability on April 9th and immediately reported it to LinkedIn. They immediately issued a temporary fix without informing the users. But this fix only restricted the use of LinkedIn’s AutoFill feature to whitelisted websites only who pay LinkedIn to host their advertisements. Cable stated that the patch was incomplete and as the whitelisted sites still could have collected user data.
Apart from that if any of the sites whitelisted by LinkedIn gets compromised, the AutoFill feature can be exploited to send the received data to malicious third-parties.
LinkedIn claims that they have immediately prevented unauthorized use of this feature after being aware of it and that they are now preparing another fix to deal with potential abuse cases. Even though they have not seen any abuse they are constantly working to ensure the users data stays protected.
While the vulnerability is not a critical one, such security loopholes may pose a serious threat not only to the users but also to the company.