http://techcrunch.com/2010/05/11/yelp-security-hole-puts-facebook-user-data-at-risk-underscores-problems-with-instant-personalization/ By Jason Kincaid Tech Crunch May 11, 2010 As if Facebook's Instant Personalization needed another knock against it, tonight comes news of a security issue that makes the feature even more unnerving. Web security consultant George Deglin discovered an exploit that would allow a malicious site to immediately harvest a Facebook user's name, email, and data shared with 'everyone' on Facebook, with no action required on the user's part. This specific exploit has been patched, and no user data was compromised, but the security problems behind it remain. The exploit took advantage of Cross Site Scripting to inject malicious code into Yelp. Normally such an attack wouldn't have particularly broad implications for Facebook users, but Yelp is, of course, one of the three sites that have been deemed fit for Facebook's highly controversial Instant Personalization feature. The feature grants Yelp immediate access to much of a user's core Facebook data as soon as they visit the reviews site, without having to bother with logins or Connect buttons. But with that convenience comes risk - if a site with Instant Personalization is compromised, it can put almost any Facebook user in harm's way. Here's a high level description of how the exploit worked: The script in my example would capture the browser cookies set for Yelp.com, extract a key required to make Open Graph API requests to the Facebook API, and send that key to my site. My site would then make a request for your name, email, etc. and store it in a database. In other words, if you visited the malicious site, it would immediately harvest any data that Yelp had access to. And Yelp automatically has access to a lot, including your email, name, profile photo, current location, friend list, and networks. You wouldn't have to accidentally click anything. The malicious site could do this even if you had never been to Yelp. Also worth noting: Yelp is automatically given access to your email address, when all other Facebook Connect sites have to ask for special permission to access it. [...] _______________________________________________ Best Selling Security Books and More! Shop InfoSec News http://www.shopinfosecnews.org/Received on Tue May 11 2010 - 22:40:16 PDT
This archive was generated by hypermail 2.2.0 : Tue May 11 2010 - 22:50:19 PDT