Yelp Security Hole Illustrates the Dangers of New Facebook Features

It seems like the hits keep on coming for Facebook and your privacy. This latest security exploit involves Facebook’s new Instant Personalization features. This is the method that Facebook has rolled out that allows 3rd party sites the ability to access your personal information from Facebook in order to provide you with a customized view of the site. Yelp, along with Docs.com and Pandora was one of the few sites first allowed access. In what illustrates the most basic fear as to why you don’t want random 3rd parties accessing your data, a Cross Site Scripting took advantage of Yelp to gain access to your Facebook info.

According to TechCrunch, this is how the exploit worked:

The script in my example would capture the browser cookies set for Yelp.com, extract a key required to make Open Graph API requests to the Facebook API, and send that key to my site. My site would then make a request for your name, email, etc. and store it in a database.

To put it in more basic terms, you visit a site with the evil code on it and it uses Yelp to get at all of your Facebook information. You don’t have to actually visit Yelp, do anything on Yelp, or even know what Yelp is. Yelp has been given full access to your Facebook account to enable Instant Personalization. Without even knowing what has happened or that it even happened, someone just got all of your goods.

Luckily, this exploit was discovered by Web security consultant George Deglin and he wasn’t really after your data. He immediately reported it and Facebook shutdown Instant Personalization. They then worked with Yelp to get the problem fixed. The key points to take away here are that, by opening up to third parties, Facebook is pretty much putting you at risk. Who will discover the next major security hole with Instant Personalization or the Facebook Graph API? Up until now, these exploits have gone public pretty quick and Facebook has had time to recover, but what happens when the bad guys find the hack first?