Friday, September 13, 2024
HomeInternetCritical LinkedIn AutoFill Vulnerability Allow Hackers to Steal LinkedIn Users Sensitive Information

Critical LinkedIn AutoFill Vulnerability Allow Hackers to Steal LinkedIn Users Sensitive Information

Published on

A new vulnerability discovered in LinkedIn AutoFill functionality leaks users sensitive information to 3rd party websites.

LinkedIn provides an AutoFill a future for other websites to fill information such as LinkedIn user’s name, email address, phone number, location, and job.

This Linkedin provides only for paying customers of LinkedIn’s Marketing Solutions increases the volume and quality of conversions.

- Advertisement - EHA
LinkedIn AutoFill Future

Customer domains must be whitelisted for LinkedIn AutoFill to function properly, but this vulnerability could abuse this restriction and leaks the sensitive information.

This Vulnerability allowed an attacker to steal your full name, phone number, email address, ZIP code, company and job title.

Also Read: iOS Trustjacking -Dangerous iOS Vulnerability to Hack iPhones & Gain Complete Control Remotely by Attackers

In this case,  If any of those sites have cross-site scripting vulnerabilities, which Cable confirmed some do, hackers can still run AutoFill on their sites by installing an iframe to the vulnerable whitelisted site,Techcrunch says.

Exposed LinkedIn Flaw working in the following ways,

  1. The user visits the malicious site, which loads the LinkedIn AutoFill button iframe.
  2. The iframe is styled so it takes up the entire page and is invisible to the user.
  3. The user clicks anywhere on the page. LinkedIn interprets this as the AutoFill button being pressed, and sends the information via postMessageto the malicious site.

According to researcher Jack Cable , “It seems like LinkedIn accepts the risk of whitelisted websites (and it is a part of their business model), yet this is a major security concern,”

This leads , a compromise in any of the whitelisted websites would have exposed the information of LinkedIn users to malicious hackers.

He discovered the issue on April 9th, 2018 and immediately disclosed it to LinkedIn. The company issued a fix on April 10th but didn’t inform the public of the issue.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

Hackers Exploiting Apache OFBiz RCE Vulnerability in the Wild

A critical vulnerability in the Apache OFBiz framework has been actively exploited by hackers....

Docker Desktop Vulnerabilities Let Attackers Execute Remote Code

Docker has addressed critical vulnerabilities in Docker Desktop that could allow attackers to execute...

Fortinet Confirms Data Breach Following Hacker’s Claim of 440GB Data Theft

Fortinet, a leading cybersecurity firm, has confirmed a data breach involving a third-party cloud...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Critical PDF.js & React-PDF Vulnerabilities Threaten Millions Of PDF Users

A new critical vulnerability has been discovered in PDF.js, which could allow a threat...

LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely From Any Browser, Anywhere

LayerX, pioneer of the LayerX Browser Security platform, today announced $24 million in Series...

AeroNet Wireless Launches 10Gbps Internet Plan: A Landmark Moment in Puerto Rico’s Telecommunications Industry

The telecom company AeroNet Wireless announced the launch of its new 10Gbps speed Internet...