[ISN] Yelp Security Hole Puts Facebook User Data At Risk, Underscores Problems With 'Instant Personalization'

From: InfoSec News <alerts_at_private>
Date: Wed, 12 May 2010 00:40:16 -0500 (CDT)

By Jason Kincaid 
Tech Crunch
May 11, 2010 

As if Facebook's Instant Personalization needed another knock against 
it, tonight comes news of a security issue that makes the feature even 
more unnerving.  Web security consultant George Deglin discovered an 
exploit that would allow a malicious site to immediately harvest a 
Facebook user's name, email, and data shared with 'everyone' on 
Facebook, with no action required on the user's part. This specific 
exploit has been patched, and no user data was compromised, but the 
security problems behind it remain.

The exploit took advantage of Cross Site Scripting to inject malicious 
code into Yelp. Normally such an attack wouldn't have particularly broad 
implications for Facebook users, but Yelp is, of course, one of the 
three sites that have been deemed fit for Facebook's highly 
controversial Instant Personalization feature. The feature grants Yelp 
immediate access to much of a user's core Facebook data as soon as they 
visit the reviews site, without having to bother with logins or Connect 
buttons. But with that convenience comes risk - if a site with Instant 
Personalization is compromised, it can put almost any Facebook user in 
harm's way.

Here's a high level description of how the exploit worked:

    The script in my example would capture the browser cookies set for 
    Yelp.com, extract a key required to make Open Graph API requests to 
    the Facebook API, and send that key to my site. My site would then 
    make a request for your name, email, etc. and store it in a 

In other words, if you visited the malicious site, it would immediately 
harvest any data that Yelp had access to. And Yelp automatically has 
access to a lot, including your email, name, profile photo, current 
location, friend list, and networks. You wouldn't have to accidentally 
click anything. The malicious site could do this even if you had never 
been to Yelp. Also worth noting: Yelp is automatically given access to 
your email address, when all other Facebook Connect sites have to ask 
for special permission to access it.


Best Selling Security Books and More!
Shop InfoSec News
Received on Tue May 11 2010 - 22:40:16 PDT

This archive was generated by hypermail 2.2.0 : Tue May 11 2010 - 22:50:19 PDT