A flaw in LinkedIn’s AutoFill plugin that websites use to let you quickly complete forms could have allowed hackers to steal your full name, phone number, email address, ZIP code, company and job title. Malicious sites have been able to invisibly render the plugin on their entire page so if users who are logged into LinkedIn click anywhere, they’d effectively be hitting a hidden “AutoFill with LinkedIn” button and giving up their data.
\Researcher Jack Cable discovered the issue on April 9th, 2018 and immediately disclosed it to LinkedIn. The company issued a fix on April 10th but didn’t inform the public of the issue. Cable quickly informed LinkedIn that its fix, which restricted the use of its AutoFill feature to whitelisted sites who pay LinkedIn to host their ads, still left it open to abuse. If any of those sites have cross-site scripting vulnerabilities, which Cable confirmed some do, hackers can still run AutoFill on their sites by installing an iframe to the vulnerable whitelisted site. He got no response from LinkedIn over the last nine days, so Cable reached out to TechCrunch.
This means that if a visitor clicks anywhere on that site, LinkedIn interprets this as an AutoFill button being pressed and sends the relevant user data to the malicious webmaster.
LinkedIn fixed the feature a day after being informed, restricting it to whitelisted sites paying to host ads. However, this still left users potentially exposed. That’s because any of those whitelisted sites which have cross-site scripting vulnerabilities would have allowed hackers to run the same maliciously crafted iframe on them to harvest user details.
LinkedIn sent the following statement to TechCrunch:
We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.
For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile.
With all eyes on security, tech companies may need to become more responsive to researchers pointing out flaws. While LinkedIn initially moved quickly, its attention to the issue lapsed while only a broken fix was in place. Meanwhile, government officials considering regulation should focus on strengthening disclosure requirements for companies that discover breaches or vulnerabilities. If they know they’ll have to embarrass themselves by informing the public about their security flaws, they might work harder to keep everything locked tight.