LinkedIn Autofill flaw lets hackers harvest website visitors’ personal info


If the visitor clicks anywhere on the page, then according to Cable, “LinkedIn interprets this as the AutoFill button being pressed, and sends the information via postMessage to the malicious site”. A vulnerability in LinkedIn’s Autofill feature allowed malicious actors to harvest personal information of LinkedIn users by inserting autofill iframes over websites that were whitelisted by LinkedIn, a security researcher has revealed.According to researcher Jack Cable who described the exploit in a detailed blog post, once a malicious actor lures a victim to visit a malicious website which is controlled by the former, the visitor is then greeted by a “LinkedIn AutoFill button iframe” which is styled so it takes up the entire page and is invisible to the user.

More information here