Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Communications Privacy The Internet

LinkedIn's AutoFill Plugin Could Leak user Data, Secret Fix Failed (techcrunch.com) 25

TechCrunch reports of a flaw in LinkedIn's AutoFill plugin that could have allowed hackers to steal your full name, phone number, email address, location (ZIP code), company, and job title. "Malicious sites have been able to invisibly render the plugin on their entire page so if users who are logged into LinkedIn click anywhere, they'd effectively be hitting a hidden 'AutoFill with LinkedIn' button and giving up their data." From the report: Researcher Jack Cable discovered the issue on April 9th, 2018 and immediately disclosed it to LinkedIn. The company issued a fix on April 10th but didn't inform the public of the issue. Cable quickly informed LinkedIn that its fix, which restricted the use of its AutoFill feature to whitelisted sites who pay LinkedIn to host their ads, still left it open to abuse. If any of those sites have cross-site scripting vulnerabilities, which Cable confirmed some do, hackers can still run AutoFill on their sites by installing an iframe to the vulnerable whitelisted site. He got no response from LinkedIn over the last 9 days so Cable reached out to TechCrunch. A LinkedIn spokesperson issued this statement to TechCrunch: "We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them. For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."
This discussion has been archived. No new comments can be posted.

LinkedIn's AutoFill Plugin Could Leak user Data, Secret Fix Failed

Comments Filter:
  • by Anonymous Coward

    Not LinkedIn, not Facebook, not anything. Go to the site, log in, do your thing, log out.

  • Good thing Linked in and Facebook don't actually have my real information...

    I'm no fool... Even if the information these sites have "leaks" they will only be sharing my alter ego's information, not mine. The ONLY time I use any of my real information is when it is legally required, and then only when I've verified who I'm talking to. I also routinely delete my browser cookies, and I don't use the browser to store my passwords... I don't use the same username all over the place and I use a password manag

    • Your first name is Bobbie.

    • Good thing Linked in and Facebook don't actually have my real information...

      I'm no fool... Even if the information these sites have "leaks" they will only be sharing my alter ego's information, not mine.

      Leaks hell - LinkedIn actually asked me for my email Password when I was going to sign up. Took care of that. My email is fucklinkedin@kissmyass.com, and the password is eatshitanddie19$$

    • LinkedIn is a site for sharing public, professional information. I point prospective employers or contracting agencies to my LinkedIn page, so for me, there's zero information I consider private on that site. Granted, I give these sites the *minimum* amount of required information, as you suggest, and that can be surprisingly little. Hell will freeze over before I give LinkedIn my e-mail's password, like they asked for.

      It seems like I drive LinkedIn crazy by not uploading a picture of myself, because the

  • Great, so can i expect the number of 'friend' requests to drop from 20% to even lower? Currently about 80% are recruitment agencies anyway... maybe I just don't understand LinkedIn!
  • by Anonymous Coward

    Because those are rare. Now if it had allowed common or garden variety data filching criminals, that would've been bad.

  • LinkedIn: We have fixed the autofill issue once and for all.
    Cable: But hackers can still use XSS and iframes to get data via whitelisted sites.
    LinkedIn: I said, ONCE AND FOR ALL!!

  • This month it's my Three-year anniversary off LinkedIN, Facebook and Instagram. So glad I am not into these things. There is not such thing as "not private" data. The corporations are AVID for having your "not private" data and fill your soul with Ads.

Disks travel in packs.

Working...