LinkedIn Data Leak Fixed. But for How Long?
A shocking security flaw was recently discovered by 18-year-old researcher Jack Cable. He disclosed that malicious websites could seamlessly use the LinkedIn AutoFill button to harvest users’ sensitive data. Even more, he demonstrated how a user's information can be unwillingly exposed to any website simply by clicking anywhere on the webpage.
“This is because the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user's information to the website,” Cable said.
LinkedIn responded with a statement refusing any evidence of vulnerability and cases of stealing users’ data. LinkedIn responded by assuring the public that there were no signs of abuse and informed the public that the vulnerability had been plugged. However, Jack Cable is convinced that LinkedIn’s servers simply aren’t able to detect abusing them as hackers are working invisibly.
How it works
First, you need to understand the nuts and bolts of a website. Every website contains hundreds of elements like images, videos, icons, buttons, you name it. To insert a piece of content from another source into a webpage, you’ll need a special web element called an iframe.
So, when you visit a malicious website, it loads the LinkedIn AutoFill button iframe. You can’t see it because it’s invisible and may take up even the entire webpage. If you click anywhere on the page, LinkedIn interprets this as the AutoFill button being pressed, and sends the information via a special postMessage service to the malicious site. Eventually, the malicious site decodes the user’s data.
Making things even worse? Websites like Twitter, SalesForce, and Twilio also use the AutoFill form and LinkedIn privacy settings don’t control this. Even if users have configured their LinkedIn privacy settings to hide their email, phone number, or other info, it can still be pulled in from the AutoFill plugin.
How to stay safe
According to Naked Security, LinkedIn has taken rapid actions and patched the loophole on April 19 by restricting the plugin to the list of sites that have permission to use AutoFill.
Yes, LinkedIn AutoFill works on whitelisted domains for approved advertisers. However, you can still take the following actions to protect your private data:
Remember to log out of websites like LinkedIn after you’ve finished using them.
Check all the websites that you have ever used. If you no longer need them, just remove your accounts and delete all your data.
Giant tech companies are facing more and more vulnerabilities, so much so that governments are now getting involved to consider possible solutions to this problem. Until there’s a viable solution in place, it’s better to be careful and avoid sharing your private information as much as possible.