Stop me if this sounds familiar. Last night, we reported on a security exploit discovered by web security consultant George Deglin that would allow a malicious site to quietly harvest a user’s Facebook friend list, email address, and other data. The exploit used a technique called Cross Site Scripting (XSS) to inject malicious code into Yelp, and took advantage of the fact that Yelp is one of Facebook’s partners for its controversial Instant Personalization feature to harvest the Facebook user data. The hole was quickly patched, and no user data was compromised.
Tonight, Deglin discovered a second hole in Yelp that once again allowed him to inject malicious code using XSS that could put Facebook user data at risk. Yelp has now patched this second hole, and once again the company believes that no user data was compromised. Facebook has turned off Instant Personalization on Yelp for the time being as Yelp looks to ensure there are no more vulnerabilities.
Some Background
Instant Personalization is a new feature that allows a handful of trusted third-party sites to immediately access a user’s Facebook information as soon as the user hits the site (the three launch partners are Yelp, Pandora, and Microsoft’s Docs.com). Unlike standard sites that implement Facebook Connect, these Instant Personalization sites don’t have to prompt users to log-in or hit a ‘Connect’ button before Facebook shares data with them. Unfortunately, this also means that when one of these Instant Personalization sites gets compromised, the potential for abuse is much greater than for most standard Connect sites.
Facebook has granted Yelp automatic access to a user’s name, profile photo, friend list, networks, fan pages, and other information that has been shared with ‘everyone’, which could include status updates and some photos depending on the user’s privacy settings. If a malicious site were to compromise Yelp, every time a Facebook user visited that malicious site it would be able to immediately harvest all of this data, even if the user had never actually been to Yelp before.
Why This Is A Problem
We should point out that since last night, Facebook has tightened up the amount of data shared through Instant Personalization. Before last night’s exploit, Yelp was also given automatic access to Facebook users’ email addresses. Facebook says that this was shared because of a bug, and is no longer sharing email addresses with Yelp. The fact that Facebook could have been accidentally handing out user emails isn’t comforting in the slightest, but at least it’s fixed.
With email addresses out of the picture, the only Facebook data that could potentially be accessed through this kind of exploit is information that is shared with ‘Everyone’, which is visible to the public anyway. But even though the type of information being shared is not terribly alarming, the context in which it could be shared is. There’s a reason not every site has access to Facebook’s Instant Personalization.
Using this kind of XSS hole, it would be possible for a malicious ad served by an ad network in an iFrame to surreptitiously harvest data about any Facebook user who viewed the ad. The ad could conceivably customize itself to address the user by name or show their profile photo. Likewise, unauthorized third party sites could use such an exploit to identify its users not just by IP address, but by name, current city, etc.
I don’t mean to pick on Yelp in these cases — XSS vulnerabilities are quite common on the web, and I suspect we’ll see similar exploits on Facebook partner sites in the future. All of which goes to show that no matter how much Facebook tightens its own security, it cannot ensure that its third party partners are secure.
Here’s Yelp’s statement on tonight’s issue:
“We were alerted today of a second XSS vulnerability on our site, which we immediately patched. Again, we have not found any evidence that user information was accessed. The Facebook integration has been temporarily disabled while we conduct a thorough site audit and will be re-instated upon completion.”
And Facebook’s statement:
“We’ve been alerted to additional vulnerabilities in Yelp’s code. In the interest of all our users, we’ve temporarily disabled their Facebook integration. They are working quickly to resolve the issue.”