Facebook Instant Personalization Has a Security Hole, No One Shocked

Ryan Whitwam

There are a lot of reasons to distrust Facebook's Instant Personalization service, but the list grew by one more today. The issue is an exploit that takes advantage of Yelp's participation in the Instant Personalization feature of Facebook. The attack allows a shady character to get access to all a user's Facebook data if they visit Yelp while participating in the Instant Personalization program.

The exploit took advantage of Yelp's association with Facebook by way of cross-site scripting to inject malicious code. In the past, this wouldn't have affected Facebook data, but Yelp is one of Facebook's Instant Personalization partners. This means Yelp has access to user data immediately upon visiting the site. The scary thing here is that the exploit would work even if you had never been to Yelp.

Facebook claims to have taken care of this security hole, but this event leaves us even more unsettled than before. It seems we can't go a day without learning of another Facebook security issue. We shudder to think what would happen if Instant Personalization were available for more than three sites.

Around the web