Hacker News new | comments | show | ask | jobs | submit login
Security flaws in Facebook's Instant Personalization program (gdeglin.blogspot.com)
31 points by gdeglin 2493 days ago | hide | past | web | 5 comments | favorite

The meat of his point is simple, and pretty hard to avoid: when Facebook allows Yelp to render content trusted and secured by Facebook, Yelp assumes the same obligations to get web appsec right that Facebook does. An XSS in personalized Yelp is now, to some extent, an XSS in Facebook.

This is a concept called "transitive trust" and it is as old as the hills.

Facebook believes in its own view of the world a bit too much. Somebody should tell those guys to get a sense of humor and stop making the world so "open".

If they did, zuckerborg's dystopian vision of the future would crumble...


Had my first run in with instant personalization on rotten tomatoes today. It was really trippy to see myself get automatically ID by RT. Why is this necessary?

I have never worried about facebook privacy, but this just crossed the line. I am going to turn it off, and see what happens.

As tptacek says, this is a transitive trust issue. The problem is that Facebook doesn't seem to care about the security of your data (facebook considers your data to belong to them) and is unlikely to enforce security requirements on sites it partners with.

If they ever open this up for general use, I hope sites like http://youropenbook.org/ sign up. I can certainly see this being abused on a massive scale.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact