The flaw revolves around the business networking platform’s AutoFill button, which allows third-party sites to autofill information including users’ name, email address, phone number, location, and job.
He discovered earlier this month that any sites could use the feature, styling the iframe so it takes up the entire page and is invisible to the user.
This means that if a visitor clicks anywhere on that site, LinkedIn interprets this as an AutoFill button being pressed and sends the relevant user data to the malicious webmaster.
LinkedIn fixed the feature a day after being informed, restricting it to whitelisted sites paying to host ads. However, this still left users potentially exposed. That’s because any of those whitelisted sites which have cross-site scripting vulnerabilities would have allowed hackers to run the same maliciously crafted iframe on them to harvest user details.
“We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.”
The incident comes at a sensitive time for online firms which collect and share data on users with third parties, following the Cambridge Analytica scandal which unearthed serious deficiencies in Facebook’s terms of service agreements with app developers.