Yelp Security Hole Puts Facebook User Data At Risk, Underscores Problems Wit...
As if Facebook’s Instant Personalization needed another knock against it, tonight comes news of a security issue that makes the feature even more unnerving. Web security consultant George Deglin discovered an exploit that would allow a malicious site to immediately harvest a Facebook user’s name, email, and data shared with ‘everyone’ on Facebook, with no action required on the user’s part. This specific exploit has been patched, and no user data was compromised, but the security problems behind it remain.
The exploit took advantage of Cross Site Scripting to inject malicious code into Yelp. Normally such an attack wouldn’t have particularly broad implications for Facebook users, but Yelp is, of course, one of the three sites that have been deemed fit for Facebook’s highly controversial Instant Personalization feature. The feature grants Yelp immediate access to much of a user’s core Facebook data as soon as they visit the reviews site, without having to bother with logins or Connect buttons. But with that convenience comes risk — if a site with Instant Personalization is compromised, it can put almost any Facebook user in harm’s way.
Here’s a high level description of how the exploit worked:
The script in my example would capture the browser cookies set for Yelp.com, extract a key required to make Open Graph API requests to the Facebook API, and send that key to my site. My site would then make a request for your name, email, etc. and store it in a database.
In other words, if you visited the malicious site, it would immediately harvest any data that Yelp had access to. And Yelp automatically has access to a lot, including your email, name, profile photo, current location, friend list, and networks. You wouldn’t have to accidentally click anything. The malicious site could do this even if you had never been to Yelp. Also worth noting: Yelp is automatically given access to your email address, when all other Facebook Connect sites have to ask for special permission to access it.
Fortunately Deglin is one of the good guys. After being notified of the security hole, Yelp and Facebook shut down Instant Personalization for an hour or two until a fix was in place.
But this is unsettling nonetheless. Instant Personalization has only been around for a few weeks on a mere three sites, and one of them has already had issues. Given how common XSS vulnerabilities are, if Facebook expands the program we can likely expect similar exploits. It’s also worth pointing out that some large sites with many Facebook Connect users — like Farmville.com or CNN— could also be susceptible to similar security problems. In short, the system just isn’t very secure.
Here are the statements each company had regarding the issue:
Yelp:
We were notified of a bug with our Facebook implementation. We immediately turned off the feature and pushed out a fix and the functionality is again live. No user information was compromised.
Facebook:
We were notified of a bug with Yelp’s Facebook implementation earlier today, at which point all related functionality was temporarily shut down before the issue was exposed. Yelp immediately investigated the issue, and the implementation is now back up and running.
Facebook has also had numerous other security issues, including a major cross-domain vulnerability and an issue that exposed users’ private Facebook chats.
