LinkedIn joins the data privacy breach club after a researcher detected a major vulnerability in the AutoFill plugin – that allows members to autofill their information in forms on other websites. The bug was detected by researcher Jack Cable who also released a proof-of-concept to explain how the vulnerability could be exploited through a cross-site scripting flaw on a website.
If exploited by third-parties, the bug releases private personal information kept on user profiles such as name, email, job, location and phone number.
“A user’s information can be unwillingly exposed to any website simply by clicking somewhere on the page,” reads Cable’s report. “This is because the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user’s information to the website.”
The AutoFill feature that allows a website to collect profile data, without explicit user content, was only for whitelisted domains approved by such as Twitter and Microsoft, the social network claimed, however Cable writes that “until my report, any website could abuse this functionality.”
After receiving a notification about the bug, LinkedIn fixed the vulnerability that could have compromised user data.
LinkedIn sent the following statement to TechCrunch:
We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.
For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile.