|
|
|
|
|
|
| Search | ||||||||||||
| Security News | ||||||||||||
|
||||||||||||
| IT Directory | ||||||||||||
|
||||||||||||
 | |
|
2010-05-13 11:50:28 | |
|
In the past years, Facebook has been constantly adding functionalities to its Web site, but also to others that want to take advantage of the social network's popularity. The Facebook Platform has been spreading fast, namely in the form of Facebook Connect "I Like" buttons and such. This has led to a number of interrogations concerning user privacy, but a new component of the platform appears to open a new door to information leaks.
Now the latest Facebook Platform is offering the Open Graph API, which was presented on the first three partner Web sites--Microsoft Docs, Pandora and Yelp--using "Instant Personalization". This allows Web site owners to use Facebook users' information so that when they visit the said Web sites they are presented with content adapted to their "likes" or their connection with products or other people. All this is done without the user having to connect to his account, as opposed to Connect. This allows for instance Pandora to automatically play music that user is known to like when he arrives on the Web site or offer him to listen to bands that his or her friends like. This of course is all done with the intent of enhancing the user experience from these Web sites (and from Facebook), but apparently comes at a price. Actually, "Web security consultant George Deglin discovered an exploit that would allow a malicious site to immediately harvest a Facebook user's name, email, and data shared with 'everyone' on Facebook, with no action required on the user's part," as reported by Techcrunch. Officials say the vulnerability has been patched and believe no user data was compromised, but the fact is the underlying problem is still there. The vulnerability that allowed the breach of information was not in Facebook code, but was found in Yelp's Web site. It allowed a remote attacker to launch an XSS attack and inject code in Yelp. And because of the implementation of the Instant Personalization feature, Yelp constantly received information about Facebook users. Deglin's exploit used a script that "would capture the browser cookies set for Yelp.com, extract a key required to make Open Graph API requests to the Facebook API, and send that key to [his] site." Once it had the key, his Web site could make all the requests he wanted to obtain names, email addresses, etc. and store them in a database. However, while it is a vulnerability in Yelp that permitted the exploit, a flaw in Facebook's code further allowed the attacker to obtain the email address of the compromised accounts, and also this user's friends' email address. Furthermore, Techcrunch later reported a second XSS vulnerability in Yelp, although it was also patched quickly, according to the Web site. So both companies have plugged these holes as of now, but there is currently no way of knowing if other adopters of Facebook's Open Graph are also vulnerable. Docs and Pandora are the only other two other Web sites integrating Instant Personalization for now, but there are already talks about it spreading more widely. Facebook may have secured its code concerning the email addresses, but there is no indication that other partner Web sites will not have vulnerabilities such as Yelp's. Safe programming may be deemed important by a large majority of programmers, but in practice critical vulnerabilities are found everyday. The best way to ensure your Facebook information is safe is to opt out of those Open Graph functions. MakeTechEasier provides a clear, step-by-step guide that explains how to prevent Facebook from sharing your personal information from being sent to third-party Web sites using the Facebook Platform. | |
Reference 2: http://techcrunch.com/2010/05/11/another-security-hole-found-on-yelp-facebook-data-once-again-put-at-risk/
Reference 3: http://techno.branchez-vous.com/actualite/2010/05/facebook_faille_securite_open_graph_yelp.html
Reference 4: http://blog.facebook.com/blog.php?post=383404517130
|
© 2006-2010 Heptacube Inc. |