LinkedIn patches serious leak in its AutoFill plugin

LinkedIn has plugged a flaw in its AutoFill button that would have allowed a malicious website to harvest basic account data from your LinkedIn profile.

Introduced a few years back, AutoFill is promoted as a convenient way for websites to capture a visitor’s name, email address, phone number, geographical location, company name, and job role.

Visitors must be logged in to LinkedIn for this to work seamlessly. Those who aren’t logged in will see a ‘sign in to LinkedIn’ button.

Given the sensitivity of the data being captured, it’s only supposed to be available to a select group of sites that pay for the privilege.

But according to researcher Jack Cable, any malicious website could have hosted it, invisibly, and siphoned off your data undetected.

All the unwitting victim would have to do to spring the trap is click anywhere on the malicious page, as demonstrated by Cable’s proof-of-concept. Said the researcher:

This is because the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user’s information to the website.

After being informed on 9 April, LinkedIn partially fixed the vulnerability the next day, restricting the plugin to the list of sites that have permission to use AutoFill. Said LinkedIn:

We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly.

LinkedIn said it had seen no signs that the flaw had been abused and thanked Cable for reporting it.

The 10 April fix stopped sites that weren’t allowed to use the code from hosting it, but still left users of sites that were permitted to use it vulnerable to potential abuse, if those sites harboured any cross-site scripting (XSS) flaws.

That loophole was closed by a second patch on 19 April.

Web flaws are incredibly common but this one exposes bigger issues.

First, what looks like a serious vulnerability has been hiding in plain sight for some time, which speaks of weak testing.

Second, and perhaps even worse, LinkedIn users who are logged in have only rudimentary control over the feature.

Visit a site with AutoFill installed (Twitter, SalesForce, Twilio, say) and true to its name your data is loaded automatically for you to submit. There doesn’t appear to be a LinkedIn privacy setting to control this.

One countermeasure you can take (one that also protects you from Cross-Site Request Forgery attacks of all stripes), is to log out of sites like LinkedIn when you’ve finished using them.

Meanwhile, LinkedIn’s explanation of AutoFill security is written solely to aid websites that might implement it – it’s as if the user’s data is just another resource to be disseminated as far and wide as possible.

It’s a model that explains how the web often works. As Facebook’s problems underline, the future might not be as carefree.