LinkedIn’s AutoFill feature and a cross-site scripting vulnerability may have allowed external sites to stealthily harvest private user data, such as email addresses, phone numbers and work history.
Fresh off of signing the multi-corporation Cybersecurity Tech Accord, Microsoft’s newly acquired LinkedIn platform is under fire for some recent discoveries by Jack Cable.
According to the white hat hacker, LinkedIn’s popular AutoFill feature and a cross-site scripting (XSS) vulnerability may have allowed external sites to stealthily harvest private user data. Generally, the AutoFill feature will only function on specifically whitelisted sites, filling in information pulled from the user’s profile such as the user’s name, email address, phone number, location, and job history. This information can then be transferred into an application form on an external whitelisted site. Having your domain whitelisted is simple and has been available for years to anyone using the LinkedIn’s Marketing Solutions.
The exploit operates by essentially making the AutoFill button invisible and made to span the entire page, thereby causing any click on the page to register as an AutoFill trigger, sending all data requested to the site. In addition, a security compromise in any of the sites whitelisted by LinkedIn could lead to collected data being sent to malicious parties.
After the report came to light, LinkedIn issued the following statement to TechCrunch:
For full details of the hack and how it operates, see Jack Cable’s extensive write up at Lightning Security .
Source: Lightning Security, TechCrunch| Image via Shutterstock
