Your new post is loading...
LinkedIn bug allowed data to be stolen from user profiles
Private profile data — like phone numbers and email addresses — could have been easily collected.
A bug in how LinkedIn autofills data on other websites could have allowed an attacker to silently steal user profile data.
The flaw was found in LinkedIn's widely used AutoFill plugin, which allows approved third-party websites to let LinkedIn members automatically fill in basic information from their profile -- such as their name, email address, location, and where they work -- as a quick way to sign up to the site or to receive email newsletters.
LinkedIn only allows whitelisted domains to have this functionality, and LinkedIn has to approve each new domain. Right now, there are dozens of sites in the top 10,000 websites ranked by Alexa that have been whitelisted by LinkedIn, including Twitter, Microsoft, LinkedIn, and more.
That means any of those websites can retrieve this profile data from users without their approval.
But if any of the sites contains a cross-site scripting (XSS) flaw -- which lets an attacker run malicious code on a website -- an attacker can piggy-back off that whitelisted domain to obtain data from LinkedIn.
And it turns out that at least one of them did.
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/securite-pc-et-internet/?&tag=LinkedIn
LinkedIn bug allowed data to be stolen from user profiles
Private profile data — like phone numbers and email addresses — could have been easily collected.
A bug in how LinkedIn autofills data on other websites could have allowed an attacker to silently steal user profile data.
The flaw was found in LinkedIn's widely used AutoFill plugin, which allows approved third-party websites to let LinkedIn members automatically fill in basic information from their profile -- such as their name, email address, location, and where they work -- as a quick way to sign up to the site or to receive email newsletters.
LinkedIn only allows whitelisted domains to have this functionality, and LinkedIn has to approve each new domain. Right now, there are dozens of sites in the top 10,000 websites ranked by Alexa that have been whitelisted by LinkedIn, including Twitter, Microsoft, LinkedIn, and more.
That means any of those websites can retrieve this profile data from users without their approval.
But if any of the sites contains a cross-site scripting (XSS) flaw -- which lets an attacker run malicious code on a website -- an attacker can piggy-back off that whitelisted domain to obtain data from LinkedIn.
And it turns out that at least one of them did.
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/securite-pc-et-internet/?&tag=LinkedIn