The LinkedIn AutoFill function was recently found to be susceptible to the leaking of personal data by 18-year-old researcher from Chicago, Jack Cable of Lightning Security.
Cable realized that user data could be harvested via placing the AutoFill button on a malicious site, making it fill the entire page and rendering it invisible to users. When someone visited the malicious site and clicked on any part of the page, they would in fact be clicking the invisible AutoFill button, which would then allow the website to leverage their LinkedIn data.
The AutoFill function on LinkedIn lets websites offer users the option of quickly filling out forms with data taken from their LinkedIn profile. Users need only to click the AutoFill button on a webpage and many of its fields will automatically be pre-populated with their LinkedIn data, such as name, title, company, email address, city, state, zip code, country and phone number.
This information may seem commonplace, but it can easily be manipulated to be of use in fraud or a hacking situation; and if it had been manipulated (LinkedIn assured users they had found no evidence of it being exploited in the wild), it would likely have represented a major scandal to the company.
LinkedIn has long offered the button for paying marketing solutions customers, who can add the button to their website allowing LinkedIn’s users to easily fill in their profile data, and encourage ease of business.
The type of attack that Cable identified clearly violated LinkedIn’s policies on AutoFill, including the fact that the user wasn’t able to see that their data was being entered. Furthermore, some of the exposed data included non-public information; the company only allows public data to be used in conjunction with the AutoFill function.
Cable’s test page demonstrating how the bug worked (when it was reported) can be viewed here.
The vulnerability was reported to LinkedIn by Cable on April 9th and the next day, the social networking giant released a temporary solution, which restricted the AutoFill functionality to only whitelisted sites. However, Cable pointed out that whitelisted websites could still have collected user data by accessing his PoC with a single click; furthermore, other whitelisted sites could be compromised themselves and then abused for data theft. The company then issued a more permanent fix on April 19th. Its full response can be read on TechCrunch.
Cable has also reported on vulnerabilities on Medium, Yahoo, Google and the U.S. Department of Defense, along with numerous other organizations.