LinkedIn’s Data Problem: AutoFill Plugin Allowed User Data to Be Stolen by Third-Party Websites
You might have noticed job seeking websites ask for permissions to autofill data from LinkedIn. LinkedIn allows websites to offer their visitors autofill their information through an AutoFill plugin. This data could include LinkedIn user's name, email address, phone number, location, and their job history. This useful feature that has been offered for years to paying websites, however, was plagued with a critical security flaw that potentially enabled just about any website to siphon off data. [Reminds of something?]
The company suggests that this feature has been limited to "whitelisted websites." But a security researcher recently revealed how this feature could have been - and possibly was - abused by data scrapers. What happens is that a website could secretly use LinkedIn AutoFill, modify the permission button size to span the entire page, receive consent when a user clicks "anywhere" on the page since the button is invisible, and get all of their data whether it was set to public or private.
LinkedIn AutoFill exposed data to websites
"In a report to LinkedIn, I demonstrated that a user's information can be unwillingly exposed to any website simply by clicking somewhere on the page," 18-year-old security researcher Jack Cable wrote earlier today in a blog post. "This is because the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user's information to the website."
It appears as if LinkedIn accepts the risk of whitelisted websites having access to this functionality, yet this is a major security concern. Any whitelisted website that pays for LinkedIn's service is able to view sensitive information of visitors, including their name, email address, phone number, location, and job. Additionally, any of the whitelisted websites being compromised would the information of LinkedIn users to malicious hackers.
The company has now fixed the issue and suggests that it hasn't been abused. However, in a statement to TechCrunch, Cable said that "it is entirely possible that a company has been abusing this without LinkedIn’s knowledge, as it wouldn’t send any red flags to LinkedIn’s servers."
"We immediately prevented unauthorized use of this feature, once we were made aware of the issue," the company said in its own statement.
"We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.
"For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."
Cable pointed out that this feature could also be abused by the websites whitelisted by LinkedIn by avoiding to take user permission. And if those whitelisted websites have cross-site scripting vulnerabilities, hackers can still manage to run invisible AutoFill to get user data.
While companies like LinkedIn and Facebook try to have a presence out of their own websites and apps, they often do that at the risk of user security. LinkedIn might choose to rely on its set of whitelisted websites, but how would it make sure those websites aren't vulnerable themselves?