Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A flaw in LinkedIn’s AutoFill button could have allowed an attacker to steal profile data by creating an invisible AutoFill iframe that takes up an entire page, forcing a user to submit data by clicking anywhere.
- LinkedIn has acknowledged the flaw and patched it. Users shouldn’t need to take any action and should be able to use the AutoFill button securely.
A flaw in LinkedIn’s AutoFill button created the potential for an attacker to harvest sensitive profile data without the user even knowing it.
LinkedIn has long offered an AutoFill button plugin for paying marketing solutions customers, who can add the button to their websites to let LinkedIn users fill in profile data with a single click.
The flaw, discovered by Jack Cable of Lightning Security, has already been fixed by LinkedIn. The problem Cable discoveredshould not have even been possible in the first place: LinkedIn only allows the AutoFill button to work on whitelisted domains.
That’s not what Cable discovered, though: Any website with the button’s code could harvest user information and the user wouldn’t even realize they were providing it.
Hiding a button in plain sight
A legitimate website using the AutoFill button would likely place it near the fields the button can fill. The button doesn’t need to be there though, because according to Cable, “the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user’s information to the website.”
All an attacker would need is the button’s code and the know-how to build an invisible, website-spanning iframe.
SEE: Incident response policy (Tech Pro Research)
Cable built a test page to demonstrate the bug (make sure you’re logged into LinkedIn when you try it), showing that it can grab first and last names, email addresses, employers, and location. That information may not seem like a lot, especially since much of it is already public, but it could be used to perpetrate identity fraud and other crimes.
The AutoFill bug was discovered on April 9, 2018, and as of April 19 has been patched by LinkedIn. LinkedIn said that it found no known cases of exploitation, and with the bug now patched users should be able to use the AutoFill button without concern.
Cable does point out that a compromise on any whitelisted websites could have allowed an attacker to harvest data using an invisible AutoFill button. It may not have happened this time, according to LinkedIn, but security compromises due to careless coding are all too common and all too devastating for those affected.