An AutoFill plugin offered to LinkedIn members was affected by a bug that could have allowed an attacker to steal users’ personal data without them knowing. LinkedIn has long offered an AutoFill button plugin for paying marketing solutions customers, who can add the button to their websites to let LinkedIn users fill in profile data with a single click. Unfortunately, little did uses know that they were exposing sensitive information like email addresses, telephone numbers and job details. Martin Jartelius commented below.
Martin Jartelius, CSO at Outpost24:
1 – Overall, yes, users should not use autofill unless they are prepared to put their information at
The information is partially stored in the browser and subject to local attacks there, but there are well known abuses against autofill behavior not only in the LinkedIn setup but also in the browsers themselves. Whenever you opt to store information for use later, not only that you duplicate it, you also put it at risk of leakage and exposure, so consider several times if it is worth exposing said data. On the other hand – most information you share with a social network is not going to be your most intimate information. But remember that the same risks apply to account information as well as payment details.
2 – This was an example of a form of clickjacking, performed by a site owner in an unexpected manner. Essentially when a website is found exposed, attempts will be made to violate the intended technical constraints and obtain the data of interest. In the case of the LinkedIn functionality, even a rather rudimentary security audit of the functionality upon its release should have caught this – So if you are creating new exposures of your users’ data – Ensure to have it tested by a competent analyst prior to release. It’s an investment in your customers trust in you as a safeguard for their privacy.
3 – This was an interesting attack as it took the risks of clickjacking, a well-known and understood risk, and implemented them into a practical attack proved successful. However, note that the attack by itself is not that novel, and that abuse of autofill is common due to the nature of the functionality in browser – Chrome being the worst of the bunch.
In the case of Chrome, adding hidden fields, that are invisible to the user helps but the hidden fields will still be auto-filled by the browser, and thereby submitted to the attacker’s website – so even a benign exposure of just name and email you are still giving away all your personal details.
For other browsers, such as Safari informs a user prior to leaking their data, and Firefox do not support full form fills but line by line auto completes where users need to accept this.
As the GDPR is mandating a privacy by design approach, it should be noted that vendors have to think twice about how they implement their tools, even though they are not processors or controllers, they are clearly being a part of the problem.
