

Yelp Security Hole Puts Facebook User Data At Risk - bjonathan
http://techcrunch.com/2010/05/11/yelp-security-hole-puts-facebook-user-data-at-risk-underscores-problems-with-instant-personalization/

======
jacquesm
I don't think facebook needs any further help from Yelp to put 'user data at
risk'.

The last couple of weeks have been pivotal in the history of social media,
I've never seen so many main stream media articles about the security and
privacy issues associated with a single company.

~~~
leftnode
Which is awesome, I love that more attention is being put to security and
privacy practices of companies online. Hopefully it'll be the catalyst for a
lot of positive changes in the near future.

~~~
uptown
While I agree with you, the vast majority of users on Facebook are more
concerned who won Dancing With the Stars than about any information exposed
about themselves online. Sadly, those are probably the same people the click
on ads. For Facebook, and companies like them, it's win-win.

~~~
leftnode
Yeah, you're right, unfortunately, but it's a step in the right direction.

------
lukeqsee
This is precisely the scary factor of FB's open graph. While Facebook may be
able to keep my data mostly secure (read: aside for their bugs of late), how
can I know for sure their partners will?

When money is the primary driver behind who gets these partnerships (like
yelps special one, anybody can use open graph) you have a fundamental and
telling issue, privacy tends to go out the window when monetization of data
starts to happen.

------
eande
In the last weeks since the new Facebook api and policy change you can see the
outcry and the security problems being reported frequently and so many places.

It is getting to a nightmare and I am not sure how well in general consumers
in the social media can keep track of it.

Here is my business idea. My assumption is that a website helping people to
understand and simplify the security issue on the social media places plus a
clean how to instruction on setting the security levels will generate some
good traffic. Anybody wants to build it?

------
jm4
It is absurd that a company (Facebook) would put itself in a position where
another company's negligence/mistake/whatever could possibly put its users'
data at risk.

~~~
lukeqsee
True. Unsettling.

It seems Facebook is on an absurdity run. The last two weeks have been full of
absurd bugs, absurd ideas. </rant>

------
alttab
What is also important to note is that if someone's data gets compromised,
_our_ data is also at risk if we are friends with that person. My fiance uses
Yelp and stays logged into to Facebook, and could indirectly compromise any of
her friend's data (and even the information in her inbox).

~~~
HaloZero
Technically, the limitations of open graph require a specific user auth token
to get any extra data. So if your fiancee gets compromised, they can get the
name's and profile pictures of her friend's but that's all. Any extra
information (like email) require the user to visit the site with the xss as
well.

------
ivenkys
One thing is for sure - FB is not having a good week.

~~~
iamdave
I wonder if they care. The amount of damage control Facebook has done in the
wake of this has been pretty passive; as if they're saying "We hear you, but
we're going to stay the course".

~~~
marltod
From FB point of view they have 2 options.

1\. Go back to the 2007 FB and keep most people happy, and lose the ability to
sell private data.

2\. Lose 10-25% of users and monetize everyone else's data.

~~~
jasonlbaptiste
Realistically? I'd be surprised if they even lost 1% of users (4+ million).

~~~
tptacek
I'm extremely privacy-sensitive and nothing they've done has come close to
shaking me off as a customer. Key detail about my use of Facebook: I don't
publish things on Facebook that I'm concerned about, and I don't use it for
work social networking.

------
what
In the photos at the bottom, how come the blacked out one of the email
addresses completely? Obviously not an @gmail, wonder what it is.

------
jqueryin
All the more reason to modify your facebook settings to disallow their third
party vendors from accessing your data.

------
joubert
I hope enough people boycott sites that use the FB instant personalization
thingy. But hope is not a strategy, alas.

------
eplanit
It would be lovely to see Yelp, Facebook, and Twitter all succumb in some kind
of deadly embrace -- a grand implosion that would be. Like watching that
implosion of Texas Stadium last month.

Oh well, on to other wishful thinking...

------
al_james
Its pretty terrible that a big site like Yelp would be open to a Cross Site
Scripting attack.

~~~
tptacek
Most are.

~~~
what
It's scary actually. It's become so easy for anyone to build a site/app, but
most people are clueless when it comes to security. Even the basics, like
validating and sanitizing inputs and outputs. Couple this with the "I have to
release before my competitors do" mentality and you end up with a gaping hole
that you can just walk through. If your site is big enough, you should hire an
expert.

~~~
tptacek
Welcome to the last 30 years of the technology industry. We have t-shirts!

