LinkedIn AutoFill bug could leak personal data to third parties and attackers

A flaw in LinkedIn’s AutoFill button created the potential for an attacker to harvest sensitive profile data without the user even knowing it. LinkedIn has long offered an AutoFill button plugin for paying marketing solutions customers, who can add the button to their websites to let LinkedIn users fill in profile data with a single click.

The flaw, discovered by Jack Cable of Lightning Security, has already been fixed by LinkedIn. The problem Cable discovered should not have even been possible in the first place: LinkedIn only allows the AutoFill button to work on whitelisted domains. That’s not what Cable discovered, though: Any website with the button’s code could harvest user information and the user wouldn’t even realize they were providing it.

Read more about the flaw in LinkedIn’s AutoFill button on TechRepublic.