

Security flaws in Facebook's Instant Personalization program - gdeglin
http://gdeglin.blogspot.com/2010/09/risks-of-facebooks-instant.html

======
tptacek
The meat of his point is simple, and pretty hard to avoid: when Facebook
allows Yelp to render content trusted and secured by Facebook, Yelp assumes
the same obligations to get web appsec right that Facebook does. An XSS in
personalized Yelp is now, to some extent, an XSS in Facebook.

This is a concept called "transitive trust" and it is as old as the hills.

------
greenlblue
Facebook believes in its own view of the world a bit too much. Somebody should
tell those guys to get a sense of humor and stop making the world so "open".

~~~
rblion
If they did, zuckerborg's dystopian vision of the future would crumble...

[http://youropenbook.org/?q=cell+number&gender=female](http://youropenbook.org/?q=cell+number&gender=female)

------
vinhboy
Had my first run in with instant personalization on rotten tomatoes today. It
was really trippy to see myself get automatically ID by RT. Why is this
necessary?

I have never worried about facebook privacy, but this just crossed the line. I
am going to turn it off, and see what happens.

------
iuguy
As tptacek says, this is a transitive trust issue. The problem is that
Facebook doesn't seem to care about the security of your data (facebook
considers your data to belong to them) and is unlikely to enforce security
requirements on sites it partners with.

If they ever open this up for general use, I hope sites like
<http://youropenbook.org/> sign up. I can certainly see this being abused on a
massive scale.

