LinkedIn AutoFill bug could leak personal data to third parties and attackers

A flaw in LinkedIn’s AutoFill button created the potential for an attacker to harvest sensitive profile data without the user even knowing it. LinkedIn has long offered an AutoFill button plugin for paying marketing solutions customers, who can add the button to their websites to let LinkedIn users fill in profile data with a single click.

The flaw, discovered by Jack Cable of Lightning Security, has already been fixed by LinkedIn. The problem Cable discovered should not have even been possible in the first place: LinkedIn only allows the AutoFill button to work on whitelisted domains. That’s not what Cable discovered, though: Any website with the button’s code could harvest user information and the user wouldn’t even realize they were providing it.

Read more about the flaw in LinkedIn’s AutoFill button on TechRepublic.

Gain Deeper Insights Into The Threat

Sign up to gain access to our special reports on threat actors and their tactics as well as daily Threat Brief.

Your support will enable us to continue our production of action-oriented content and help us help you stay informed on the latest in adversary activities.

Try our free two week trial.

Sign Up For Free Trial of The Daily Threat Brief