A critical security bug has been discovered in LinkedIn, more specifically in a social button. The exploit of the bug could have led to harvesting of LinkedIn users’ information, including information that wasn’t public. The discovery was made by Jack Cable, an 18-year-old bug hunter from Chicago.
More about the LinkedIn Autofill Bug
Apparently, the vulnerability resided in the platform’s AutoFill feature that powers the corresponding “AutoFill with LinkedIn” buttons that are implemented on some public job portals. The LinkedIn button can be added on job application forms, and upon clicking makes a query to LinkedIn. Once this is one, the user’s information is retrieved and embedded on the job app form.
Even though these buttons are useful, they can be exploited by any website to harvest user information. The buttons can be hidden and overlaid on an entire page, and any website could embed them secretly, modifying the button’s size to cover the screen. The button can become invisible by simply altering some CSS settings.
This is how an attack is carried out, as explained by the young researcher:
1. The user visits the malicious site, which loads the LinkedIn AutoFill button iframe.
2. The iframe is styled so it takes up the entire page and is invisible to the user.
3. The user clicks anywhere on the page. LinkedIn interprets this as the AutoFill button being pressed, and sends the information via postMessage to the malicious site.
4. The site harvests the user’s information via specific code.
Furthermore, any user that has landed on such a page may have unknowingly submitted LinkedIn information to the website by randomly clicking on the page.
The exploit of this bug is not a difficult task and could have been leveraged in the wild for mass data harvesting purposes. Luckily, the bug has been fixed, with Cable notifying LinkedIn about the bug. LinkedIn then temporarily restricted the button to a whitelist with other trusted domains.
Thanks to this, attackers were unable to exploit the feature via the mechanism described above.