CYBER NEWS

Autofill with LinkedIn Bug Could Lead to User Data Harvesting

A critical security bug has been discovered in LinkedIn, more specifically in a social button. The exploit of the bug could have led to harvesting of LinkedIn users’ information, including information that wasn’t public. The discovery was made by Jack Cable, an 18-year-old bug hunter from Chicago.

More about the LinkedIn Autofill Bug

Apparently, the vulnerability resided in the platform’s AutoFill feature that powers the corresponding “AutoFill with LinkedIn” buttons that are implemented on some public job portals. The LinkedIn button can be added on job application forms, and upon clicking makes a query to LinkedIn. Once this is one, the user’s information is retrieved and embedded on the job app form.

Related Story: LinkedIn Phishing Scams — How to Spot and Evade Spam Emails

Even though these buttons are useful, they can be exploited by any website to harvest user information. The buttons can be hidden and overlaid on an entire page, and any website could embed them secretly, modifying the button’s size to cover the screen. The button can become invisible by simply altering some CSS settings.

This is how an attack is carried out, as explained by the young researcher:

1. The user visits the malicious site, which loads the LinkedIn AutoFill button iframe.
2. The iframe is styled so it takes up the entire page and is invisible to the user.
3. The user clicks anywhere on the page. LinkedIn interprets this as the AutoFill button being pressed, and sends the information via postMessage to the malicious site.
4. The site harvests the user’s information via specific code.

Furthermore, any user that has landed on such a page may have unknowingly submitted LinkedIn information to the website by randomly clicking on the page.

Related Story: LinkedIn Data Breach: 117 Million Accounts Up For Sale

The exploit of this bug is not a difficult task and could have been leveraged in the wild for mass data harvesting purposes. Luckily, the bug has been fixed, with Cable notifying LinkedIn about the bug. LinkedIn then temporarily restricted the button to a whitelist with other trusted domains.

Thanks to this, attackers were unable to exploit the feature via the mechanism described above.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...