Autofill issue flaw sparks LinkedIn privacy concerns

With all the world’s attention currently on Facebook’s privacy woes, another social media giants privacy issues have gone rather under the radar.

But it has been revealed this week that LinkedIn, which bills itself as the social network for professionals has fixed a major privacy flaw on the quiet, without warning users of the potential risks they faced.

LinkedIn Autofill issues

It has emerged that LinkedIn was informed last month about a major flaw with their autofill button which could have put all user’s data at risk.

Autofill is a feature of LinkedIn which allows account holders to automatically fill in forms on other websites using the information in their LinkedIn account. It is commonly used on job application websites all over the world, as well as a number of other services.

But it appears that a flaw with LinkedIn made it possible for hackers to make these autofill buttons both invisible and fill the whole screen. By doing this, a hacker would have been able to ensure that wherever some clicked on the screen, their LinkedIn data would be sent to the site via postMessage.

In this way, they could have been able to harvest a huge amount of personal data from people with just a single click of the mouse. Data that could have been put at risk by the vulnerability includes full names, email addresses, location details, job titles, the company you work for, and postcodes.

LinkedIn not following best practice

The revelations about LinkedIn have been made by security research Jack Cable who put up a detailed blog post about his findings. According to him, LinkedIn had originally claimed that this flaw was not a risk because only whitelisted sites could use the autofill service.

It was only after Cable demonstrated that it could in fact be used by any site that LinkedIn took action to patch the issue.

In the past two weeks, they have released two security patches to fix the issue. However, this was done very much on the quiet and no effort was made to inform users of the issue beyond a rather vague public statement.

It was only after the researcher blogged about the issue that it came to the attention of the wider online security community.

Anyone familiar with the basics of internet security will know that keeping security issues under wraps is not good practice. It is much better to be open about the issues you have found to ensure your customers are aware, but also in case other sites could fall victim to the same vulnerability.

LinkedIn remains adamant that there are is no evidence that this vulnerability has been exploited by hackers, but that rather misses the point.

Stay safe on LinkedIn with a VPN

LinkedIn’s track record on user privacy is not exactly great. They are the only major international social media service to cooperate with the Chinese Communist Party’s censorship requirements.

And back in 2012, they also fell victim to a hack which saw the personal details of no fewer than 117 million users leaked online.

This issue is not so severe as to suggest that people should be closing their LinkedIn accounts, as many are choosing to do with Facebook at the moment. You should also be fine to make use of the autofill feature, although it is advisable to be careful exactly what information is available through it.

But with privacy very much in the spotlight right now, it is to be hoped that this issue will serve as a wake-up call for LinkedIn to begin to put the privacy of their users a little higher up their priority list.

One thing we would advise all users of LinkedIn, and indeed all other social media sites to do, is to ensure they always use a VPN when accessing their accounts.

A VPN such as ExpressVPN or IPVanish can help to protect you by encrypting all of your online data and so making it much harder for hackers to access the private details stored in your account.

Leave a Reply

Your email address will not be published. Required fields are marked *