Posted May 11, 2010 9:40 am by with 1 comment

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookBuffer this page





Could it be that privacy truly is Facebook’s achilles heel?

The world’s #1 social network is already seeing users cancel their account in droves–over privacy–and now one of its trusted partners provides the gateway for a malicious hack?

One of Facebook’s marque personalization partners, Yelp, is at the center of the latest privacy scare. Actually, a scare would be putting it mildly:

The script in my example would capture the browser cookies set for Yelp.com, extract a key required to make Open Graph API requests to the Facebook API, and send that key to my site. My site would then make a request for your name, email, etc. and store it in a database.

Even more scary?

You–the user–need do anything to enable this security breach. It’s not like Yelp pops-up a message that says “Hey, is this you? Click this harmless looking link!” Nope! Any private info that Facebook makes available to Yelp, would be immediately available to the hackers. Note: You would need to land on a malicious site, hell-bent on extracting your Yelp/Facebook data.

OK, don’t panic. Fortunately, this exploit was discovered by a web security expert–George Deglin–and not some Chinese student doing a class project. In response, both Yelp and Facebook quickly fixed the problem before any user data was compromised.

Still, you have to wonder: if a site as established as Yelp can’t keep your Facebook information safe, do you really want to share it with any random blog that happens to ask for it?

  • http://www.frankthinking.com Frank Reed

    Considering the type of response that any information given on MP about yelp gets, does anyone really care? If they are such a “powerhouse” why does everyone seem to shrug off news about them? Is this more hype than reality?
    .-= Frank Reed´s last blog ..Business Blogging to Support Sales Efforts =-.