21 Apr LinkedIn Autofill Plugin Puts User Data at Risk
Lightning Security’s Jack Cable revealed last Thursday that a bug in LinkedIn’s Autofill plugin could have been exploited by an attacker to collect private profile data such as phone numbers and email addresses.
Even though only whitelisted domains have access to this functionality, an attacker can still piggy-back off that domain by using a cross-site scripting (XSS) flaw. Cable said that at least one whitelisted website had been compromised.
The security expert said that the incident had proven that a user’s information can still be exposed regardless of his security settings. LinkedIn that they had fixed the issue right after Cable’s disclosure.