As it may have always been, seems the internet is a sketchy place for your personal information. After a fallout over data privacy with Facebook, it’s been found that other popular sites have a few bugs as well. Most recently, LinkedIn was believed to be compromised via it’s AutoFill feature. The AutoFill allows users a faster way to input their personal information on forms required by most websites. Specifically with LinkedIn, it helps users fill out forms with information from their LinkedIn profile. However, some websites may be unaware that hackers are using this plugin feature to gather the personal information of their users.
The issue was first pointed out to LinkedIn by a researcher named Jack Cable. He contacted the website to let them know he had uncovered the flaw. The website replied to the threat almost immediately, issuing a “secret” fix. LinkedIn hoped it would correct the problem without having to bring the issue to the public, however the fix failed and was reported so by the same researcher to find the issue in the first place.
Cable heard no reply from the company to date on the failure of the patch. He sent correspondence to TechCrunch, a notable tech-based news website. See the full article here: LinkedIn’s AutoFill plugin could leak user data, secret fix failed.
Cable scrutinized LinkedIn for relying on whitelisted sites that pay the company in the fix. He argued that just because they are cleared by the employing website doesn’t mean they don’t contain security flaws of their own. Thus still offering an opportunity for information to be extracted. LinkedIn responded to TechCrunch expressing that there was no evidence that the plugin was used to collect any information, as it saw no red flags in it’s servers. LI also commented that they are working on a more comprehensive fix and it would be in place shortly.
In the meantime however, Cable is not impressed with how the company has handled things to this point. He said that the website accepted the risk of infiltration through the whitelist, as it was in their business model to do so. However this still poses a “major security concern”. While initially the company responded quickly to the threat, it’s diligence on the issue seems to be waning. 9 days have passed with supposedly no answer to the issue, so it remains to be seen if LinkedIn will reply publicly.