Plugins that store important information will always be a target for miscreants, security experts have warned
LinkedIn has patched a vulnerability in its AutoFill feature that left users’ names and email details exposed to third-party websites.
AutoFill gives site visitors the option to automatically pre-populate a website form with information from their LinkedIn profile, including their name, email address, phone number, and location.
The technology has been offered at a fee for some years to website customers of LinkedIn’s Marketing Solutions.
Security researcher Jack Cable discovered that any website – and not only the whitelisted domain LinkedIn has approved – was open to abusing this functionality to scoop up LinkedIn profile information.
Surfers who happened to be LinkedIn users could unwittingly expose this information simply by clicking on a page.
Cable found that the AutoFill button could be made invisible and designed to span an entire page, meaning a user clicking anywhere would unknowingly hand over profile information to the website.
Cable created a proof of concept demonstration of the vulnerability, as explained in more depth in a blog post.
In a statement, the Microsoft-owned business-focused social network said it had patched the data disclosure vulnerability, mitigating the privacy risk:
We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly.
While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this, and our security team will continue to stay in touch with them.
LinkedIn initially responded by restricting the AutoFill functionality to whitelisted websites, before going one step further and issuing a second patch that prevented nominally trusted sites from abusing the feature.
This secondary fix was important because prior to it a compromise in any of the whitelisted websites would have exposed the information of LinkedIn users to malicious hackers, according to Cable.
The researcher faulted LinkedIn for violating its own privacy policies as a result of the vulnerability. The AutoFill FAQ stated the technology was not designed to blindly submit form fields without user’s express consent, but coding mistakes by the social network rendered this assurance invalid.
In addition, the flaw exposed LinkedIn users’ profile information to potential harvesting, regardless of any privacy setting they might have applied.
LinkedIn is yet to respond to requests from The Daily Swig to comment on this secondary criticism, nor to state with any certainty whether or not the now resolved security vulnerability was actually abused – something that has become a particular point of concern.
Chris Boyd, a security researcher at infosec firm Malwarebytes, told the The Daily Swig that using autofill technology involves a trade-off that the more security conscious might want to avoid.
“Anything storing important information is always a target for miscreants, and this LinkedIn attack is part of a long line of autofill theft attempts,” Boyd explained. “The most common targets we’ve seen over the years are passwords stored in browsers swiped by malware, but there are many other forms of attack.
“For example, using third-party tracking scripts to grab email addresses via invisible forms for the purposes of marketing, or potentially abusing browser autofills to aid phishing.”
Boyd concluded: “In general, autofill is great for convenience but it’s a huge drawback if the only way to guarantee data isn’t being stolen is logging out all the time, or wiping everything resident in the browser itself.”
