

Another Security Hole Found On Yelp, Facebook Data Once Again Put At Risk - whyleym
http://techcrunch.com/2010/05/11/another-security-hole-found-on-yelp-facebook-data-once-again-put-at-risk/

======
gdeglin
If anyone is curious, these security holes were found in dynamically generated
javascript that included a GET parameter that was neither encoded nor run
through magic_quotes. They were easy to find to the point where an automated
scanning tool could almost certainly identify them.

~~~
djcapelis
Thank you for the details.

------
DCoder
Well, at least they had to _try_ to find a hole. I've had the pleasure of
maintaining a "typical PHP project" - written by someone with no clue about
xss, csrf or anything else. It had an admin interface that simply returned the
Location: / header to an unauthorized user without exiting. In a publicly
accessible /admin folder no less. The owner only wisened up when Yahoo's
spider crawled in and followed all the "delete news item" links. Yes, GET
links for delete, and DB storing passwords in plain text, isn't that nice.

------
farmer_ted
Is anyone still using Facebook?

