LinkedIn apparently had a bug that potentially compromised user data, including private information such as email addresses and phone numbers.
The bug reportedly pertains to how the professional networking platform uses autofill to submit data on other websites. A vulnerability could have enabled attackers to hijack this process and steal information from user profiles.
LinkedIn AutoFill Bug
The vulnerability affected the popular LinkedIn AutoFill plugin. Many LinkedIn members rely on this plugin to automatically fill in some data from their profile on approved third-party websites. The information can include basic details such as name, location, place of employment, and email address, and the plugin fills in such data automatically so that users can easily sign up on a website or register for email newsletters.
LinkedIn extends this functionality only to websites that it has whitelisted, and each new domain has to receive approval before being able to take advantage of this AutoFill plugin. Whitelisted websites currently include Microsoft, Twitter, and dozens of others, and they can get users' profile data without specific approval.
The Problem With LinkedIn Autofill
The problem appears when such a website has an XSS bug, commonly referred to as cross-site scripting. Attackers can exploit such flaws to push malicious code on a domain, riding on the whitelisted website. This means that they could also obtain the information from LinkedIn.
Security researcher Jack Cable from Lightning Security was the first to report on this issue, and has also reached out to LinkedIn to inform them of the matter and call for a solution.
"LinkedIn states that this functionality is restricted to whitelisted websites; however, until my report, any website could abuse this functionality," Cable warned. "In a report to LinkedIn, I demonstrated that a user's information can be unwillingly exposed to any website simply by clicking somewhere on the page. This is because the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user's information to the website."
Even more alarmingly, this bug can expose users' data even if they have strict privacy settings, such as not to display their email address or their full name.
LinkedIn Patched The AutoFill Bug
LinkedIn reportedly failed to address the situation when Cable first reached out, so he sent another email about the bug and got no response. He then proceeded to disclose the matter, which prompted LinkedIn to take action and fix it.
Following the researcher's post on Thursday, April 19, LinkedIn patched the vulnerability and said that once it learned about the matter, it immediately took action to prevent unauthorized use of AutoFill.
LinkedIn says that it has not discovered any evidence of abuse and that it's always committed to ensuring that users' information is protected.