Another Security Hole Found On Yelp, Facebook Data Once Again Put At Risk | TechCrunch

Stop me if this sounds familiar. Last night, we reported on a security exploit discovered by web security consultant George Deglin that would allow a malicious site to quietly harvest a user's Facebook friend list, email address, and other data. The exploit used a technique called Cross Site Scripting (XSS) to inject malicious code into Yelp, and took advantage of the fact that Yelp is one of Facebook's partners for its controversial Instant Personalization feature to harvest the Facebook user data. The hole was quickly patched, and no user data was compromised. Tonight, Deglin discovered a second hole in Yelp that once again allowed him to inject malicious code using XSS that could put Facebook user data at risk. Yelp has now patched this second hole, and once again the company believes that no user data was compromised. Facebook has turned off Instant Personalization on Yelp for the time being as Yelp looks to ensure there are no more vulnerabilities.