LinkedIn AutoFill flaw left users' personal data exposed to third parties

A serious vulnerability in LinkedIn’s Autofill feature, which allows approved third-party websites to quickly complete forms, could have allowed malicious actors to silently harvest user profile data. The AutoFill plugin allows LinkedIn members to automatically fill in basic information from their profile such as name, email address, location and where they work when signing up for a website or receive email newsletters.

LinkedIn only allows whitelisted domains approved by the company to have this functionality.

Security researcher and founder of Lightning Security, Jack Cable, described the exploit in a detailed blog post. Websites whitelisted by LinkedIn that contain a cross-site scripting (XSS) flaw could let an attacker to run malicious code on the site and leverage it to obtain data from LinkedIn.

Once the user visits the malicious site, the LinkedIn AutoFill button iframe is loaded and styled so that it takes up the entire page and is invisible to the user. If a visitor clicks anywhere on the page, LinkedIn interprets this as the AutoFill button being pressed and sends the information to the malicious site that harvests the user's information. The exploit was demonstrated by Cable in a proof of concept.

The personal data of LinkedIn users that could have been exposed through this flaw included full names, email addresses, location, company, job title, and zip codes.

The issue was discovered and reported to LinkedIn on April 9, 2018. LinkedIn deployed a patch on April 10 restricted to whitelisted websites and issued a public statement shortly after. Cable asked for further clarification from LinkedIn the same day about whether the fix could prevent whitelisted websites from misusing the feature. He reportedly received no response from LinkedIn after which the company deployed an additional patch on April 10.

"We immediately prevented unauthorized use of this feature, once we were made aware of the issue," a LinkedIn spokesperson told TechCrunch. "We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.

"For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."

The incident comes shortly after Facebook confirmed a similar issue where unauthorized Javascript trackers were pulling out user info from websites using Login with Facebook. It also raises additional questions as well as security and privacy concerns over technology giants that handle and store user data.