On May 11th it was reported that a flaw had been discovered in Facebook’s Instant Personalization service that made it possible for a third-party to capture a sizable amount of data about you without you ever even knowing it.
For those of you unfamiliar with the Facebook personalization tool, it allows sites to set cookies in your browser so that any time you visit the site again you will see which of your friends have been to the site and see what some of their activity was on that site. So far it has only been implemented on a handful of sites, but it has raised a firestorm of controversy over how much data a social network should share with others.
According to TechCrunch, George Deglin, a Web security expert, decided to play around with it on the Yelp site, to see if he could find any holes in it. Using “Cross Site Scripting”, he was able to inject malicious code in to the site that would allow a Facebook user’s name, e-mail address, friends list, groups and other data to be delivered to a third site for harvesting. Mr. Deglin did report the bug to both Yelp and Facebook which took down the code for a few hours to patch the error before returning it to service.
The problem here is that this cross pollination of services layering on top of one another just leaves to many possibilities for determined hackers to garner information. This particular issue required no action on the user’s part for it to work, and luckily it was discovered by someone with altruistic motives as opposed to someone actually trying to harvest personal info. Of course, there is always a chance it had been discovered by someone else before Mr. Delgin that simply didn’t report because they did want to harvest the information, but there is no way to know that right now.
Of all the issues raised by Facebook’s seeming attack on our privacy in which they feel their 450 million plus users should just share everything, I would have to say this one bothers me the most. If I want someone to know about a news story I read on a site, I’ll hit the “Share” button and tell them myself, but to think I just want all of my Facebook friends to automatically know about what I read and did on a site is act of unbelievable hubris on the part of the social network. Perhaps some people do want this information shared, and if they do, let them opt-in to the tool, don’t make it automatic. I have opted out of the service, but even then that is a pain.
Even though this security hole has been patched, it makes you wonder what else is lurking out there, just waiting to be discovered.