Slashdot Mirror

← Back to Stories (view on slashdot.org)

LinkedIn's AutoFill Plugin Could Leak user Data, Secret Fix Failed (techcrunch.com)

Posted by BeauHD on from the privacy-hot-seat dept.

TechCrunch reports of a flaw in LinkedIn's AutoFill plugin that could have allowed hackers to steal your full name, phone number, email address, location (ZIP code), company, and job title. "Malicious sites have been able to invisibly render the plugin on their entire page so if users who are logged into LinkedIn click anywhere, they'd effectively be hitting a hidden 'AutoFill with LinkedIn' button and giving up their data." From the report: Researcher Jack Cable discovered the issue on April 9th, 2018 and immediately disclosed it to LinkedIn. The company issued a fix on April 10th but didn't inform the public of the issue. Cable quickly informed LinkedIn that its fix, which restricted the use of its AutoFill feature to whitelisted sites who pay LinkedIn to host their ads, still left it open to abuse. If any of those sites have cross-site scripting vulnerabilities, which Cable confirmed some do, hackers can still run AutoFill on their sites by installing an iframe to the vulnerable whitelisted site. He got no response from LinkedIn over the last 9 days so Cable reached out to TechCrunch. A LinkedIn spokesperson issued this statement to TechCrunch: "We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them. For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."

25 comments

  1. Don't stay logged into sites by Anonymous Coward · · Score: 1

    Not LinkedIn, not Facebook, not anything. Go to the site, log in, do your thing, log out.

    1. Re: Don't stay logged into sites by Anonymous Coward · · Score: 1

      Cross site logins like that shouldnâ(TM)t even exist. That in and of itself is a fail.

    2. Re: Don't stay logged into sites by Anonymous Coward · · Score: 1

      LickedIn is a stupid piece of smelly shit, stealing personal data ever since inception.

  2. Re: Get DEPENDS by Anonymous Coward · · Score: 0

    LOL exactly.

    Trump Eunuchs like to be peepeed on.

  3. Lazy aaa users of such plugin deserve it by Anonymous Coward · · Score: 0

    Come on. How lazy do you have to be to use such a plugin.

  4. Good thing.... by bobbied · · Score: 1

    Good thing Linked in and Facebook don't actually have my real information...

    I'm no fool... Even if the information these sites have "leaks" they will only be sharing my alter ego's information, not mine. The ONLY time I use any of my real information is when it is legally required, and then only when I've verified who I'm talking to. I also routinely delete my browser cookies, and I don't use the browser to store my passwords... I don't use the same username all over the place and I use a password manager that allows me hugely complex passwords, yet is fully encrypted when it's not open, but only for the junk accounts. Sensitive stuff I keep in my head or in the nondescript notebook kept in the lock box. I've been doing this since before Facebook was invented...

    I've never understood the sheeple's who just blindly type in things like their full legal name, birthday, phone number and the like... So what if all my friends wish me "happy birthday" on the wrong day...... Shesh, if you put in all the information that Facebook asks for and expose family relationships, I can guarantee somebody can/will be able to steal your ID. Why not just put it on a billboard?

    Don't do it.... It's NOT worth it..

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:Good thing.... by war4peace · · Score: 1

      Your first name is Bobbie.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    2. Re:Good thing.... by bobbied · · Score: 1

      Not even close....

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    3. Re:Good thing.... by Anonymous Coward · · Score: 0

      Nice try, Robert Allen Zimmerman. You can't fool us. We know The Times They Are a-Changin'.

    4. Re:Good thing.... by Ol+Olsoc · · Score: 1

      Good thing Linked in and Facebook don't actually have my real information...

      I'm no fool... Even if the information these sites have "leaks" they will only be sharing my alter ego's information, not mine.

      Leaks hell - LinkedIn actually asked me for my email Password when I was going to sign up. Took care of that. My email is fucklinkedin@kissmyass.com, and the password is eatshitanddie19$$

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    5. Re:Good thing.... by Dutch+Gun · · Score: 1

      LinkedIn is a site for sharing public, professional information. I point prospective employers or contracting agencies to my LinkedIn page, so for me, there's zero information I consider private on that site. Granted, I give these sites the *minimum* amount of required information, as you suggest, and that can be surprisingly little. Hell will freeze over before I give LinkedIn my e-mail's password, like they asked for.

      It seems like I drive LinkedIn crazy by not uploading a picture of myself, because they constantly bother me about it, and even gave me a little questionnaire about why I seemingly refused to do so. Sort of hilarious, really. At this point, I'm doing it just to annoy them a bit. Who gives a crap what I look like if someone is hiring me for my professional coding and game development experience? Apparently, only LinkedIn seems bothered by it.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    6. Re:Good thing.... by war4peace · · Score: 1

      It was a joke, ma'am :)

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    7. Re:Good thing.... by Anonymous Coward · · Score: 0

      Yeah, I just politely told them "Not just No, but HELL NO!"

  5. As if Microsoft cares by Anonymous Coward · · Score: 0

    Why is this even a story? This has been a problem for years.

  6. Re: Get DEPENDS by Anonymous Coward · · Score: 0

    How many guys peed in your mouth today?

  7. Well deserved by Anonymous Coward · · Score: 0

    Anyone who has shit on linkedin deserves whatever shit that hits them.

  8. Recruitment agencies by TJHook3r · · Score: 1

    Great, so can i expect the number of 'friend' requests to drop from 20% to even lower? Currently about 80% are recruitment agencies anyway... maybe I just don't understand LinkedIn!

  9. Re: Get DEPENDS by Anonymous Coward · · Score: 0

    Better than Ivanka and Tiffany, and a cup.

  10. Confused by Anonymous Coward · · Score: 0

    Perhaps I'm confused I though the whole purpose of LinkedIn is to publicize oneself.

  11. Good thing it only allows haxx0rz by Anonymous Coward · · Score: 1

    Because those are rare. Now if it had allowed common or garden variety data filching criminals, that would've been bad.

  12. Oblig by mentil · · Score: 1

    LinkedIn: We have fixed the autofill issue once and for all.
    Cable: But hackers can still use XSS and iframes to get data via whitelisted sites.
    LinkedIn: I said, ONCE AND FOR ALL!!

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  13. privacy invasion by Anonymous Coward · · Score: 0

    Linkedin is privacy invasion anyway. Public emails lol

  14. Stop giving them your data. by Anonymous Coward · · Score: 0

    Really is all you can do. Remove accounts, don't trust companies with your data. If you have to go with companies and brand names, choose one that doesn't ask for your information or share it for any reason.

  15. Away from these craps by jf_moreira · · Score: 1

    This month it's my Three-year anniversary off LinkedIN, Facebook and Instagram. So glad I am not into these things. There is not such thing as "not private" data. The corporations are AVID for having your "not private" data and fill your soul with Ads.