There are a lot of reasons to distrust Facebook's Instant Personalization service, but the list grew by one more today. The issue is an exploit that takes advantage of Yelp's participation in the Instant Personalization feature of Facebook. The attack allows a shady character to get access to all a user's Facebook data if they visit Yelp while participating in the Instant Personalization program.
The exploit took advantage of Yelp's association with Facebook by way of cross-site scripting to inject malicious code. In the past, this wouldn't have affected Facebook data, but Yelp is one of Facebook's Instant Personalization partners. This means Yelp has access to user data immediately upon visiting the site. The scary thing here is that the exploit would work even if you had never been to Yelp.
Facebook claims to have taken care of this security hole, but this event leaves us even more unsettled than before. It seems we can't go a day without learning of another Facebook security issue. We shudder to think what would happen if Instant Personalization were available for more than three sites.
Google has released a new web security tool developers can use to check their sites for security vulnerabilities. The tool is called Skipfish and it runs on a Linux or Unix command line in a similar way to well known utilities like Nmap or Nessus. The only difference is that Skipfish runs much faster.
The software is capable of processing 2,000 HTTP requests per second on even a modest system. Tests on local networks have yielded more than 7,000 requests per second. Skipfish owes this amazing speed to its straight-up C implementation.
The tool was designed to identify code that could allow vulnerabilities like cross-site scripting attacks and SQL/XML injection attacks, among others. It even supports asynchronous processing of multithreaded processes for high scalability. If you’re a web developer interested in the software, you can get it here.