Jason Kincaid writes:
As if Facebook’s Instant Personalization needed another knock against it, tonight comes news of a security issue that makes the feature even more unnerving. Web security consultant George Deglin discovered an exploit that would allow a malicious site to immediately harvest a Facebook user’s name, email, and data shared with ‘everyone’ on Facebook, with no action required on the user’s part. This specific exploit has been patched, and no user data was compromised, but the security problems behind it remain.
The exploit took advantage of Cross Site Scripting to inject malicious code into Yelp.
[…]
… if you visited the malicious site, it would immediately harvest any data that Yelp had access to. And Yelp automatically has access to a lot, including your email, name, profile photo, current location, friend list, and networks. You wouldn’t have to accidentally click anything. The malicious site could do this even if you had never been to Yelp. Also worth noting: Yelp is automatically given access to your email address, when all other Facebook Connect sites have to ask for special permission to access it.
Fortunately Deglin is one of the good guys. After being notified of the security hole, Yelp and Facebook shut down Instant Personalization for an hour or two until a fix was in place.
Read more on TechCrunch.