Autofill Plugin of LinkedIn could Leak User Data

Autofill Plugin of LinkedIn could Leak User Data

linkedin-account-hack

Facebook is not the only big ticket company embroiled in a data privacy issue. Now it’s LinkedIn too. A glitch in the AutoFill plugin of LinkedIn which allows one to speed up form completion may have been a gateway for hackers to gather information pertaining to name, email address, phone number, ZIP code, job profile, and company.

Certain malicious sites can shift the plugin on their whole page without being noticed. So if users logged into the professional networking site click anywhere, they would also be clicking on an imperceptible “AutoFill with LinkedIn” button and thus unwittingly divulge their data.

Researcher Named Jack Cable Discovers Issue

A researcher named Jack Cable uncovered the problem on April 9, 2018. He also informed LinkedIn about it immediately. While the company said it carried out a fix just the next day, it refrained from informing the public of the same. However, Cable said that the fix now limited the application of its AutoFill to whitelisted sites from where the networking giant receives payment for hosting their ads, is still vulnerable to abuse.

Some such sites which are prone to cross-site scripting as per Cable can still carry out AutoFill on their sites by incorporating an iframe making them vulnerable to the whitelisted sites. While LinkedIn says that it does not have any proof of the vulnerable spot being misused to extract data on users, Cable feels that it is totally possible for a company to abuse the vulnerability without sending any red flags whatsoever to LinkedIn servers.