The world’s #1 social network is already seeing users cancel their account in droves–over privacy–and now one of its trusted partners provides the gateway for a malicious hack?
The script in my example would capture the browser cookies set for Yelp.com, extract a key required to make Open Graph API requests to the Facebook API, and send that key to my site. My site would then make a request for your name, email, etc. and store it in a database.
Even more scary?
You–the user–need do anything to enable this security breach. It’s not like Yelp pops-up a message that says “Hey, is this you? Click this harmless looking link!” Nope! Any private info that Facebook makes available to Yelp, would be immediately available to the hackers. Note: You would need to land on a malicious site, hell-bent on extracting your Yelp/Facebook data.
OK, don’t panic. Fortunately, this exploit was discovered by a web security expert–George Deglin–and not some Chinese student doing a class project. In response, both Yelp and Facebook quickly fixed the problem before any user data was compromised.
Still, you have to wonder: if a site as established as Yelp can’t keep your Facebook information safe, do you really want to share it with any random blog that happens to ask for it?