LinkedIn Autofill flaw lets hackers harvest website visitors' personal info

News by Jay Jay

If the visitor clicks anywhere on the page, then according to Cable, "LinkedIn interprets this as the AutoFill button being pressed, and sends the information via postMessage to the malicious site".

A vulnerability in LinkedIn's Autofill feature allowed malicious actors to harvest personal information of LinkedIn users by inserting autofill iframes over websites that were whitelisted by LinkedIn, a security researcher has revealed.

According to researcher Jack Cable who described the exploit in a detailed blog post, once a malicious actor lures a victim to visit a malicious website which is controlled by the former, the visitor is then greeted by a "LinkedIn AutoFill button iframe" which is styled so it takes up the entire page and is invisible to the user.

If the visitor clicks anywhere on the page, then according to Cable, "LinkedIn interprets this as the AutoFill button being pressed, and sends the information via postMessage to the malicious site".

He added that this flaw exposed personal information of LinkedIn users to websites that were not blacklisted by the platform. "This had entrusted the privacy of LinkedIn users in the security of third-party websites. A compromise in any of the whitelisted websites would have exposed the information of LinkedIn users to malicious hackers," he said.

Personal information of visitors that owners of malicious websites could harvest by exploiting this flaw included full names, email addresses, location, job title, company, and zip codes. After Cable alerted LinkedIn about the said vulnerability, LinkedIn issued a patch for the vulnerability and also issued a public statement.

"We immediately prevented unauthorised use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. 

"While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.

"For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile," it said.

Joseph Carson, chief security scientist at Thycotic, told SC Magazine UK that the discovery of LinkedIn's Autofill vulnerability should not hold people back from using the feature as it continues to be a useful feature that makes our lives easier and prevents time-wasting.

"This is one which everyone should be taking a risk-based approach.  In my opinion it is ok to use the autofill features however you should never be storing anything containing private or sensitive information.

"For example, it is ok to put data which is already likely publicly available on the internet which is your name, email address and company name however, I would recommend not to put your credit card details or mobile number," he said.

When asked what steps platforms like LinkedIn should take to ensure personal information of their users is not harvested by cyber-criminals by misusing autofill features, he said that such platforms should ensure that information included in autofill should only be less sensitive, publicly available, and should be encrypted. Autofill should also come with a warning message so that users are clear on what privacy is being maintained and to reviewing the autofill data, he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop