Insidious Bug Found that Can Destroy Privacy

ZDNet reports that a bug was found in the LinkedIn Auto-fill plugin that could allow hackers to steal user profile data. The popular plugin allows third-party sites to capture LinkedIn member data from user profiles when users sign up for webinars, newsletters, etc.

Although LinkedIn only allows this plugin to interact with pre-approved sites, the problem occurs if those white-listed sites become compromised through cross-site scripting (XSS). Cross-scripting lets an attacker run malicious code on a targeted site that can capture user data while using the LinkedIn plugin.

Bugs of this nature are very serious. Although we do not know how many LinkedIn users actually use the Auto-fill plugin, the fact that the social network has over 500 million users makes this a high-profile issue. To LinkedIn’s credit, they did fix the bug quickly. The question, however still remains—what else is happening that is compromising people’s data that we still don’t know about yet.

As we previously disclosed last week in our post, “ALERT: Millions Of Trusted Apps Are Leaking Data!”, many programmers are not taking security seriously. In many instances, issues such as described above go unnoticed by the user community but not by the criminal underground.

In a recent 60 Minutes® segment, Aleksandr Kogan was interviewed in regard to the recent Cambridge Analytica Facebook data mining incident. Kogan was the programmer who created the app that is at the center of the controversy.

When asked, “How many apps do you think there are, how many developers, who did what you did?”; Kogan replied, “Tens of thousands.” Click here to see the full 60 minutes® interview with Aleksandr Kogan.

What does this mean to you? It means that we can no longer trust internet companies, or any company for that matter, to fully protect our data no matter what they say in interviews or in writing. We have to take responsibility for our online safety ourselves.

Trusted social networks such as LinkedIn and Facebook and any other company that creates an app or has one created for it must make sure they are secure before unleashing them on their users. As the 60 Minutes® segment shows—we’re not there yet.

Don’t become a victim. Vet all apps and get rid of those that ask for permissions outside of the scope of their marketed purposes.

 

XSolutions is a Managed Services Provider (MSP) located in Rockland County, NY and has been serving New York, New Jersey and Connecticut businesses since 1999. XSolutions is an Elite Partner of Datto, the world leader in Hybrid-Cloud Business Continuity solutions. Call (845) 362-9675 for a free consultation.