Popular social media site Yelp has had two issues in the past day or so in which Facebook users’ data was put at risk. Is this just the tip of the iceberg for your data?
Last night, we reported on a security exploit discovered by web security consultant George Deglin that would allow a malicious site to quietly harvest a user’s Facebook friend list, email address, and other data. The exploit used a technique called Cross Site Scripting (XSS) to inject malicious code into Yelp, and took advantage of the fact that Yelp is one of Facebook’s partners for its controversial Instant Personalization feature to harvest the Facebook user data. The hole was quickly patched, and no user data was compromised.
Tonight, Deglin discovered a second hole in Yelp that once again allowed him to inject malicious code using XSS that could put Facebook user data at risk. Yelp has now patched this second hole, and once again the company believes that no user data was compromised. Facebook has turned off Instant Personalization on Yelp for the time being as Yelp looks to ensure there are no more vulnerabilities. Source
It’s plain to see that money from partners matters more to Facebook than the security of user data. I really hope something changes soon.