Researchers have found a flaw in LinkedIn’s AutoFill plugin. The plugin allows websites to let the users quickly fill up forms. This could allow hackers to steal vital information like full name, phone numbers, email address, ZIP code, company, and job title.
Certain hostile sites have easily been able to render the plugin on their entire page. This means that if users who are logged into LinkedIn click anywhere, they’d be unknowingly hitting a hidden “AutoFill with LinkedIn” button. They’d be giving their data without their knowledge.
The issue was first identified by security researcher Jack Cable who immediately informed it to LinkedIn. LinkedIn immediately issued a fix; however, it didn’t inform the public of the issue. Even if the fix was issued, the problem continued as LinkedIn the use of its AutoFill feature to whitelisted sites, which pay LinkedIn to host their ads.
This meant that it’s still open for abuse and hackers can still run AutoFill on their sites. But LinkedIn is claiming that there’s no evidence that the weakness was exploited. However, the problem still persists. After Facebook went through its data scandal, every site is on high alert for any potential risk.