Facebook has been battered over privacy limitations and the abuse of nearly a billion users’ data but it has a fellow social network trying to stay afloat in the troubled waters. Jack Cable, a whitehat hacker, has discovered a flaw in LinkedIn’s AutoFill feature that can allow malicious actors and websites to extract users’ information without their permission or even information.
As per Cable, the cross-site scripting (XSS) renders a vulnerability in the AutoFill plug-in which certain other sites use to allow LinkedIn users fill their information in job applications without much effort. This includes a variety of information such as name, phone number, email ID, address and zip code, and job history. The AutoFill feature is only available on sites whitelisted by LinkedIn but getting your website whitelisted is very easy as all the admins must do in exchange for the feature is to pay for ads on LinkedIn.
Cable informed LinkedIn about the vulnerability on April 9 for which the company promised a fix on the next day, which TechCrunch reports it did. However, there was no public disclosure of such a threat having existed.
Even so Cable pointed at another possibility of attack. A whitelisted website can still be vulnerable and a hacker can install an iframe on the target website. Through this they can receive the auto-filled data at any location they choose. Getting an individual to transmit the Autofill data is as simple as getting them to click anywhere within the iframe.
After not receiving a response from Microsoft-owned LinkedIn for over a week after the first exchange, Cable reached out to the social network via TechCrunch.
LinkedIn responded to the publication saying it is “now pushing another fix that will address potential additional abuse cases“, but claimed the chances of such attacks are very low.
“It seems like LinkedIn accepts the risk of whitelisted websites (and it is a part of their business model), yet this is a major security concern“, Cable wrote on his website detailing the issue.