Every now and then we hear about company data breaches resulting in millions of user’s data left exposed. It’s just been over a month when Facebook was found guilty in one of the biggest data breaches ever, wherein personal information of millions of users was leaked without their notice. Now a new flaw has been discovered in LinkedIn, the biggest social networking platform for professionals.
A security researcher named Jack Cable recently notified LinkedIn about a vulnerability in AutoFill feature of LinkedIn that can be used by attackers to gain access of user’s personal information like complete name, email address, phone number, Postal/Zip code, company and job title without their notice.
What is LinkedIn AutoFill Feature and how can it be Exploited?
LinkedIn AutoFill feature helps the websites (only the websites that are whitelisted) to let users fill their personal data automatically just with a single tap or click using AutoFill plugin.
This means that LinkedIn offers all its paid customers of LinkedIn Marketing Solutions with an AutoFill button to place on their websites. This AutoFill button simplifies the task of filling the forms for the visitors that land on that website.
Although as per LinkedIn AutoFill it is not open for all and restricted only to whitelisted websites but as per Jack any website could exploit this functionality and then collect user’s details that too without notice.
Jack further demonstrated that if any of those whitelisted websites that are allowed to use AutoFill have cross-site scripting vulnerabilities (that he found many websites have) then attackers can also run AutoFill on their compromised websites by installing an iframe to that authorized websites.
See Also: 10 Best Anti-Malware Software for Windows
Moreover, this flaw can expose user’s information irrespective of the privacy setting applied on LinkedIn profile.
The security researcher has shown the exploit flows:
- The user visits the malicious site, which loads the LinkedIn AutoFill button iframe.
- The iframe is styled so it takes up the entire page and is invisible to the user.
- The user clicks anywhere on the page. LinkedIn interprets this as the AutoFill button being pressed, and sends the information via postMessage to the malicious site.
- The site harvests the user’s information via the following code:
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event)
{
if (event.origin == 'https://www.linkedin.com') {
let data = JSON.parse(event.data).data;
if (data.email) {
alert('Hi, ' + data.firstname + ' ' + data.lastname + '! Your email is ' + data.email + '. You work at ' + data.company + ' and you live in ' + data.city + ', ' + data.state + '.');
console.log(data);
}
}
console.log(event)
}
What has been more shocking was that when Jack apprised LinkedIn of this vulnerability in AutoFill then LinkedIn issued a fix without notifying the public. But when he contacted LinkedIn again describing that the fix provided by them can still be exploited then they didn’t revert him back for more than a week. This forced Jack to contact TechCrunch regarding this serious security flaw in AutoFill plugin of LinkedIn.
This somehow forced LinkedIn to show interest in the bug reported by Jack and they issued a complete patch on 19th April for the vulnerability in AutoFill with the following statement.
We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.
For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile.
Hopefully, for now, the vulnerability found in AutoFill of LinkedIn is patched up. Also, a sincere thanks to Jack Cable for discovering this flaw and getting it patched up at such an early stage, saving many users from exposing their data yet again. As who knows if this vulnerability might one day have changed to the biggest data breach ever known.