1 min read

LinkedIn fixes major bug in AutoFill plugin

Luana PASCU

April 20, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
LinkedIn fixes major bug in AutoFill plugin

LinkedIn joins the data privacy breach club after a researcher detected a major vulnerability in the AutoFill plugin – that allows members to autofill their information in forms on other websites. The bug was detected by researcher Jack Cable who also released a proof-of-concept to explain how the vulnerability could be exploited through a cross-site scripting flaw on a website.

If exploited by third-parties, the bug releases private personal information kept on user profiles such as name, email, job, location and phone number.

“A user’s information can be unwillingly exposed to any website simply by clicking somewhere on the page,” reads Cable”s report. “This is because the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user’s information to the website.”

The AutoFill feature that allows a website to collect profile data, without explicit user content, was only for whitelisted domains approved by such as Twitter and Microsoft, the social network claimed, however Cable writes that “until my report, any website could abuse this functionality.”

After receiving a notification about the bug, LinkedIn fixed the vulnerability that could have compromised user data.

LinkedIn sent the following statement to TechCrunch:

We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we”ve seen no signs of abuse, we”re constantly working to ensure our members” data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.

For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile.

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read