Autofill with LinkedIn Bug Could Lead to User Data Harvesting

A critical security bug has been discovered in LinkedIn, more specifically in a social button. The exploit of the bug could have led to harvesting of LinkedIn users’ information, including information that wasn’t public. The discovery was made by Jack Cable, an 18-year-old bug hunter from Chicago.

More about the LinkedIn Autofill Bug

Apparently, the vulnerability resided in the platform’s AutoFill feature that powers the corresponding “AutoFill with LinkedIn” buttons that are implemented on some public job portals. The LinkedIn button can be added on job application forms, and upon clicking makes a query to LinkedIn. Once this is one, the user’s information is retrieved and embedded on the job app form.

Even though these buttons are useful, they can be exploited by any website to harvest user information. The buttons can be hidden and overlaid on an entire page, and any website could embed them secretly, modifying the button’s size to cover the screen. The button can become invisible by simply altering some CSS settings.

This is how an attack is carried out, as explained by the young researcher:

1. The user visits the malicious site, which loads the LinkedIn AutoFill button iframe.
2. The iframe is styled so it takes up the entire page and is invisible to the user.
3. The user clicks anywhere on the page. LinkedIn interprets this as the AutoFill button being pressed, and sends the information via postMessage to the malicious site.
4. The site harvests the user’s information via specific code.

Furthermore, any user that has landed on such a page may have unknowingly submitted LinkedIn information to the website by randomly clicking on the page.

The exploit (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: