Cable says he disclosed it to Microsoft-owned LinkedIn on April 9, and it issued a fix the next day. However, he holds that the patch failed to completely mitigate the issue. Though LinkedIn restricted the use of AutoFill to whitelisted sites, malicious sites could use an iframe and utilize cross-site scripting vulnerabilites. The Cambridge Analytica case also shows that limiting functionality to authorized third-parties doesn’t work. It only requires a bad actor or security breach, and user data is in the open.
No Disclosure
According to Cable, the company has now released an additional patch that allays his concerns. However, this doesn’t address a point that has also been vital in Facebook’s case: disclosure. Though LinkedIn says it’s seen ‘no signs of abuse’, it’s entirely possible that attackers have been using the flaw without its knowledge. The vulnerability also directly contradicts the company’s privacy policy. It states that ‘blind’ submitting of forms is against LinkedIn’s privacy policy, and that AutoFill does not enable this. That’s quite a statement to make given the circumstances, and user information would have been revealed regardless of their privacy settings. Once more, users have the illusion of privacy but are open to the whims of third-parties. It’s not clear how many people use AutoFill. It’s definitely not the same scale as Facebook’s scandal, and the window to disclose was much smaller. Still, it shows that users can’t trust tech giants with their data, or to tell them quickly when an issue arises.