By Morgan T. McCulley
Recently, Linkedln’s AutoFill plugin has been found extremely flawed, as hackers could easily steal your full name, phone number, email address, ZIP code, company and job title. Sites with malicious intent can render the plugin and get all the data they want from the accounts.
This was discovered on April 9th this year by researcher Jack Cable who immediately disclosed it to Linkedin. The company did not inform the public and issued a dix on April 10th. Even then, Cable warned the company the fix was still vulnerable to hackers. After nine days of no response from Linkedln, he reached out to TechCrunch. He said, “it is entirely possible that a company has been abusing this without LinkedIn’s knowledge, as it wouldn’t send any red flags to LinkedIn’s servers.”
Linkedln told TechCrunch it doesn’t have proof that the flaw would at any point make user data vulnerable to hack. The company believes this, even though Cable can and has proven the security fail on a website he setup himself. It was able to show the email address with one click anywhere on the page. It would be known to the user what had even happened. Also, Linkedln’s privacy settings do not stop this either.
Linkedln issued the following statement on a better fix for the issues:
“We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsible reporting this and our security team will continue to stay in touch with them.”
For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile.”
Either way, Cable proves that big tech companies deserve to be criticized on their flaws. Social media like Linkedin are too focused on gathering information rather than something just as important lik security. The research makes it clear that quick fixes and updates will never solve the real issues. It really just takes one flaw for the whole of the data to be in danger. Many whitelist sites such as Twitter have similar scripting problems. Symantec in 2007 reported that 84% of security flaws are because of these types of vulnerabilities.