Business and employment services of LinkedIn have been helpful to people from all over the world. Job-hunting can be very stressful and complicated, but LinkedIn has made this process easier. However, given the popularity and success this job-offering service has achived, it is not a surprise that cyber-criminals choose its services as a target.
For instance, one year ago, in April of 2017, we warned users that scammers were initiating a spam campaign, giving hope to people desperately seeking jobs. Furthermore, in August of 2017, vulnerability allowed hackers to transmit malicious executables thru the LinkedIn services. In April of 2018, a similar scenario threatened the security of LinkedIn users once again.
AutoFill plugin could have allowed any website to steal users’ private information
Even though LinkedIn is operated by professional, trained technicians, they were unable to detect a flaw in the AutoFill plugin. The specialists were outsmarted by a white hat hacker, a teenager named Jack Cable. He published his discovery in his Lightingsecurity.io website, and the news spread all over the world very quickly.
According to LinkedIn, the AutoFill feature has been available for a very long time, but the service explained that the plugin only works on specifically whitelisted websites. Unsure of what the AutoFill plugin actually does? Well, the plugin can be exploited by other websites to let LinkedIn users quickly fill in profile data, including their names, email address, Zip codes, phone numbers and similar information, provided to the LinkedIn service.
However, according to the white hat hacker Cable, this plugin contained a rather simple, but very important vulnerability. It appeared that almost any website was able to retrieve the information from users’ LinkedIn accounts. This contradicts the official statements of LinkedIn, claiming that only white-listed domains will be provided with such data. A vicious hacker could add an invisible button for the AutoFill plugin. If a person accidentally clicks it, he/she would provide the attacker with a lot of confidential information.
A fix for the flaw in AutoFill has been released
Cable published his discovery on 9th of April, and representatives of LinkedIn were not idle to respond. The next day, a service released a temporary fix and spoke about the detected vulnerability publicly. However, it took some time for the specialists to generate a permanent solution. Against all odds, the full solution fix was released on 19th of April. It is stated that researchers have not noticed that this vulnerability would have been exploited in the wild, but small attacks could have easily been missed.