A flaw in LinkedIn’s AutoFill button created the potential for an attacker to harvest sensitive profile data without the user even knowing it.
LinkedIn has long offered an AutoFill button plugin for paying marketing solutions customers, who can add the button to their websites to let LinkedIn users fill in profile data with a single click.
The flaw, discovered by Jack Cable of Lightning Security, has already been fixed by LinkedIn. The problem Cable discovered should not have even been possible in the first place: LinkedIn only allows the AutoFill button to work on whitelisted domains.
That’s not what Cable discovered, though: Any website with the button’s code could harvest user information and the user wouldn’t even realize they were providing it.
A legitimate website using the AutoFill button would likely place it near the fields the button can fill. The button doesn’t need to be there though, because according to Cable, “the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user’s information to the website.”
All an attacker would need is the button’s code and the know-how to build an invisible, website-spanning iframe.
Cable built a test page to demonstrate the bug (make sure you’re logged into LinkedIn when you try it), showing that it can grab first and last names, email addresses, employers, and location. That information may not seem like a lot, especially since much of it is already public, but it could be used to perpetrate identity fraud and other crimes.
The AutoFill bug was discovered on April 9, 2018, and as of April 19 has been patched by LinkedIn. LinkedIn said that it found no known cases of exploitation, and with the bug now patched users should be able to use the AutoFill button without concern.