Linkedln’s Secret Fix Failed: Users Data could be Leaked

By Morgan T. McCulley

linkedin-leaking

LinkedIn

    Recently, Linkedln’s AutoFill plugin has been found extremely flawed, as hackers could easily steal your full name, phone number, email address, ZIP code, company and job title. Sites with malicious intent can render the plugin and get all the data they want from the accounts.

    This was discovered on April 9th this year by researcher Jack Cable who immediately disclosed it to Linkedin. The company did not inform the public and issued a dix on April 10th. Even then, Cable warned the company the fix was still vulnerable to hackers. After nine days of no response from Linkedln, he reached out to TechCrunch. He said, “it is entirely possible that a company has been abusing this without LinkedIn’s knowledge, as it wouldn’t send any red flags to LinkedIn’s servers.”

    Linkedln told TechCrunch it doesn’t have proof that the flaw would at any point make user data vulnerable to hack. The company believes this, even though Cable can and has proven the security fail on a website he setup himself. It was able to show the email address with one click anywhere on the page. It would be known to the user what had even happened. Also, Linkedln’s privacy settings do not stop this either.

    Linkedln issued the following statement on a better fix for the issues:

    “We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsible reporting this and our security team will continue to stay in touch with them.”

For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile.”

Either way, Cable proves that big tech companies deserve to be criticized on their flaws. Social media like Linkedin are too focused on gathering information rather than something just as important lik security. The research makes it clear that quick fixes and updates will never solve the real issues. It really just takes one flaw for the whole of the data to be in danger. Many whitelist sites such as Twitter have similar scripting problems. Symantec in 2007 reported that 84% of security flaws are because of these types of vulnerabilities.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s