Beware LinkedIn’s Autofill Plugin Pothole
Jack Cable may be a kid, but as a coder he is an internet elder.
He’s like the driver who, after spotting a pothole on the highway, makes sure it gets fixed. That’s a judgment call, of course, but you can make the call yourself.
Cable discovered a security flaw in LinkedIn, but when the company decided not to disclose the problem to the public, he did.
Cable found the problem on LinkedIn’s autofill feature, which lets users quickly complete forms online. It opened a door for hackers to steal names, phone numbers, email addresses, and more.
He informed LindedIn, which issued a quick fix but did not inform its members. Cable said it did not address related issues, however, so he went public. TechCrunch confirmed his story.
“It is entirely possible that a company has been abusing this without LinkedIn’s knowledge, as it wouldn’t send any red flags to LinkedIn’s servers,” Cable said.
LinkedIn said it was “pushing another fix that will address potential additional abuse,” and acknowledged Cable for “responsibly reporting” the issue.
TechCrunch said “Cable’s findings demonstrate that other tech giants deserve increased scrutiny.” Facebook, for example, has been on the front page and before Congress recently for data security issues.
“With all eyes on security, tech companies may need to become more responsive to researchers pointing out flaws,” the company said.
LinkedIn, for its part, is a popular site for networking lawyers. But with undetected and unreported data breaches, it should also raise concerns.