Security hole in Yelp Instant Personalization
Posted on 11 May 2010.
A never-ending string of privacy glitches and bugs has struck Facebook since the implementation of its highly controversial Instant Personalization feature.

This latest security hole influences the privacy of Facebook users who access Yelp. As you probably already know, Yelp is - alongside Docs.com and Pandora - a site that has partnered with the popular social network and has automatic access to a great portion of its users' data, in order to personalize their browsing experience.

The problem with this setup is that when such a site is compromised, the consequences can extend to Facebook and its users - as security consultant George Deglin can attest.

He discovered an exploit that would make it possible for a malicious site to harvest all the information that users have on their Facebook profile and is available for access from Yelp (email, name, current location, friend list, etc.). The exploit would be able to do this by using XSS to inject malicious code into Yelp.

As he explained to TechCrunch: "The script in my example would capture the browser cookies set for Yelp.com, extract a key required to make Open Graph API requests to the Facebook API, and send that key to my site. My site would then make a request for your name, email, etc. and store it in a database."

The most frightening thing about this is that the exploit could do it's thing even if you have never visited the Yelp website. But, luckily for all Facebook users, Deglin has never had any intention take advantage of this security hole and has notified Yelp and Facebook of it, which they proceeded to investigate and fix.






Spotlight

eBook: Cybersecurity for Dummies

Posted on 16 December 2014.  |  APTs have changed the world of enterprise security and how networks and organizations are attacked. These threats, and the cybercriminals behind them, are experts at remaining hidden from traditional security while exhibiting an intelligence, resiliency, and patience that has never been seen before.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Thu, Dec 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //