Instant Updates Almost Meant Instant Security Issue May 11, 2010Posted by Daniel in WebApps, WebStuff.
Tags: Facebook, personalization, Security hole, Yelp
Personal and private information is becoming less and less personal and private. But with permissions settings and personalization, we don’t seem to mind sharing our info as long as it is protected within our network or among our friends.
The almighty Facebook – the entity responsible for guarding our private and personal contact information, profile photos, and network affiliations – almost shattered this sense of security. Jason Kincaid reports that a security hole in the new instant personalization partnership between Yelp and Facebook, opened up any facebook user to instant personal information sharing.
Yelp is the only partner in the Instant Personalization roll out allowed to personalize itself for you if you’re a Facebook member. No login or Facebook connect required. Yelp instantly gets access to most of your personal data from your Facebook profile, including your email address, without asking you permission.
The security hole involved a potential impostor website capturing Yelp’s browser cookies, get the key needed to make API requests to Facebook, and pose as Yelp simply collecting personal info as part of their Instant Personalization.
I’m all for real time search and ideas like Instant Personalization. But what we have to watch is – as speed and personalization increase, do quality and security decrease? Does the Twitter bug from yesterday where Twitter was forced to reset everyone’s follower count to zero not scare as many people because it was handled quickly? If progress is well thought out, there doesn’t need to be a compromise.