LinkedIn AutoFill plugin flaw allowed hackers to leak personal data

by Jake Doe - -

LinkedIn AutoFill plugin might have exposed user profile data to hackers

LinkedIn AutoFill plugin might have leaked data

Facebook's data security scandal[1] is currently being put into the shade by LinkedIn's AutoFill flaw, which possibly exposes users' personal information to third-party websites.

LinkedIn, a social network from professionals that belong to Microsoft since 2016, has been considered as one of the most professional social networks on the web that does not depart from its initial purpose. However, it did not manage to evade the scandal of a data breach. On April 9th, 2018 a researcher Jack Cable revealed[2] a severe flaw in LinkedIn's AutoFill plugin.

Dubbed as cross-site scripting (XSS), the flaw might expose basic information from LinkedIn members' profiles, such as full name, email address, location, a position held, etc. to untrustworthy parties. Approved third-party websites that are included to LinkedIn's whitelist can render “AutoFill with LinkedIn” invisible, thus making LinkedIn members automatically fill in their details from the profile by clicking anywhere on the spammed website.

Cross-Site Scripting flaw allows hackers to modify website's view

Cross-Site Scripting or XSS[3] is a widespread vulnerability that can affect any app on the web. The flaw is exploited by hackers in a way they can easily inject content into a website and modify its current display view.

In case of LinkedIn flaw, hackers managed to exploit a widely used AutoFill plugin. The latter allows users to fill up forms quickly. LinkedIn has a whitelisted domain to use this functionality (more than 10,000 included in the top 10,000 websites ranked by Alexa), thus allowing approved third parties only to fill in basic information from their profile.

However, the XSS flaw allows hackers to render the plugin on the entire website making the “AutoFill with LinkedIn” button[4] invisible. Consequently, if a netizen that is connected to LinkedIn opens a website affected by XSS flaw, clicking on an empty or any content positioned on such a domain, unintentionally discloses personal information as if clicking on “AutoFill with LinkedIn” button.

As a consequence, the owner of the website can retrieve a full name, phone number, location, email address, ZIP code, company, the position held, experience, etc. without asking for visitor's permission. As Jack Cable explained,

This is because the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user's information to the website.

A patch for AutoFill flaw has already been issued on April 10th

Upon the founding, Jack Cable, the researcher who found the flaw, contacted LinkedIn and reported the XSS vulnerability. In response, the company released a patch on April 10 and limited a small number of approved websites.

Nevertheless, the LinkedIn Autofill vulnerability hasn't been patched successfully. After an in-depth analysis, Cable reported that at least one of the whitelisted domains is still vulnerable to the exploit allowing criminals to misuse AutoFill button.

LinkedIn has been informed about unpatched vulnerability, though the company did not respond. Consequently, the researcher made the vulnerability public. Upon revelation, LinkedIn's staff was quick to release the patch repeatedly:[5]

We immediately prevented unauthorized use of this feature, once we were made aware of the issue. While we’ve seen no signs of abuse, we’re continually working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this, and our security team will continue to keep in touch with them.

Prevent websites, ISP, and other parties from tracking you

Private Internet Access is a VPN that can prevent your Internet Service Provider, the government, and third-parties from tracking your online and allow you to stay completely anonymous. The software provides dedicated servers for torrenting and streaming, ensuring optimal performance and not slowing you down. You can also bypass geo-restrictions and view such services as Netflix, BBC, Disney+, and other popular streaming services without limitations, regardless of where you are.

A VPN is also crucial when it comes to user privacy. Online trackers such as cookies can not only be used by social media platforms and other websites but also your Internet Service Provider and the government. Even if you apply the most secure settings via your web browser, you can still be tracked via apps that you are connected to the internet. Besides, privacy-focused browsers like Tor is are not an optimal choice due to diminished connection speed.

Therefore, to stay completely anonymous and prevent the ISP and the government from spying on you, you should employ Private Internet Access VPN. It will allow you to connect to the internet while being completely anonymous, prevent trackers, ads, as well as malicious content. Most importantly, you will prevent the illegal surveillance activities that NSA and other governmental institutions are performing behind your back.

 

Recover your lost files quickly

Unforeseen circumstances can happen at any time while using the computer: it can turn off due to a power cut, a Blue Screen of Death (BSoD) can occur, or random Windows updates can decide to reboot the machine when you went away for a few minutes. As a result, your schoolwork, important documents, and other data might be lost.

Additionally, you might also be attacked by malware that can corrupt your Windows or encrypt files with a robust encryption algorithm, and ask for a ransom in Bitcoin for the decryption tool. Cybercriminals might not deliver what they promised, however, so it is better to attempt alternative file recovery methods that could help you to retrieve at least some portion of the lost data.

Data recovery software is one of the options that could help you recover your files. Once you delete a file, it does not vanish into thin air – it remains on your system as long as no new data is written on top of it. Data Recovery Pro is recovery software that searchers for working copies of deleted files within your hard drive. By using the tool, you can prevent loss of valuable documents, school work, personal pictures, and other crucial files.

About the author
Jake Doe
Jake Doe - Computer technology geek

Jake Doe is a News Editor at Ugetfix. Since he met Ugnius Kiguolis in 2003, they both launched several projects that spread awareness about cybercrimes, malware, and other computer-related problems.

Contact Jake Doe
About the company Esolutions

References


Your opinion regarding LinkedIn AutoFill plugin flaw allowed hackers to leak personal data