Yelp Security Hole Puts Facebook User Data At Risk, Underscores Problems With ‘Instant Personalization’

As if Facebook's Instant Personalization needed another knock against it, tonight comes news of a security issue that makes the feature even more unnerving. Web security consultant George Deglin discovered an exploit that would allow a malicious site to immediately harvest a Facebook user's name, email, and data shared with 'everyone' on Facebook, with no action required on the user's part. This specific exploit has been patched, and no user data was compromised, but the security problems behind it remain. The exploit took advantage of Cross Site Scripting to inject malicious code into Yelp . Normally such an attack wouldn't have particularly broad implications for Facebook users, but Yelp is, of course, one of the three sites that have been deemed fit for Facebook's highly controversial Instant Personalization feature.