google-site-verification: google30a059f9a075f398.html

Critical LinkedIn AutoFill Vulnerability Allow Hackers to Steal LinkedIn Users Sensitive Information

CyberWisdom Safe Harbor Commentary

Today I came across this story from gbhackers.com that guides a surprising new vulnerability discovered in the LinkedIn autocomplete feature leaks sensitive user information to third-party websites.

LinkedIn provides other sites with an auto-filled future to fill LinkedIn’s user name, email address, phone number, location, and job information.

LinkedIn only provides increased conversions and quality for paid customers of LinkedIn’s marketing solutions.

LinkedIn automatically populates the Autofill

The client domain must be whitelisted for the LinkedIn Autocomplete feature to work, but this vulnerability could abuse this restriction and reveal sensitive information.

This vulnerability allows an attacker to steal your full name, phone number, email address, zip code, company, and position.

In this case, if there is a cross-site scripting vulnerability at any one of these sites, then Cable has identified certain vulnerabilities, but hackers can still run autocomplete on their sites by installing iframes on vulnerable whitelist sites. Techcrunch Say.

Expose LinkedIn to work flawed in the following ways,

The user accesses a malicious website that loads the LinkedIn autofill button iframe.
The iframe style makes it occupy the entire page and is not visible to the user.
The user clicks anywhere on the page. LinkedIn interprets this as an auto-complete button that was pressed and sends the post to the malicious site via postMessage.
According to researcher Jack Cable, “It seems that LinkedIn has accepted the risk of whitelisting sites (which is part of its business model), but this is a major security issue,”

This results in the compromise of any whitelisted website that exposes LinkedIn users’ information to malicious hackers.

He discovered the problem on April 9, 2018 and immediately disclosed it to LinkedIn. The company issued an amendment on April 10 but did not notify the public about this issue.

Read more…

A new vulnerability discovered in LinkedIn AutoFill functionality leaks users sensitive information to 3rd party websites. LinkedIn provides an AutoFill a future for other websites to fill information such as LinkedIn user’s name, email address, phone number, location, and job. This Linkedin provides only for paying customers of LinkedIn’s Marketing Solutions increases the volume and quality of conversions. Customer domains Engaging post, Read More…

thumbnail courtesy of gbhackers.com

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Critical LinkedIn AutoFill Vulnerability Allow Hackers to Steal LinkedIn Users Sensitive Information