Yelp security puts Facebook user details at risk

on May 11, 2010 | Facebook Yelp | Comments (0)

Yelp, a social networking, user review, and local search engine website is one of only 3 websites so far to be eligible for Facebook’s highly controversial and anticipated Instant Personalisation feature.

A security issue has come to light where a malicious site could harvest a Facebook user’s name, email, and data shared with everyone on that users Facebook contacts, without the original users specific actions.

This occurred due to Cross Site Scripting which injected malicious code into Yelp.

As Yelp is only one of few to have Facebook’s Instant Personalization feature, this allows Yelp immediate access to much of a users Facebook data as soon as they visit Yelp without having to login using Facebook Connect buttons. But this is where the risk occurs, if a site with Instant Personalization is compromised, it can put alot of Facebook’s users details at risk.

After the security flaw was discovered, Facebook and Yelp shut down Instant Personalisation for an about 2 hours until the issue was rectified.

Each company released the following statements;


‘We were notified of a bug with our Facebook implementation. We immediately turned off the feature and pushed out a fix and the functionality is again live. No user information was compromised.’


‘We were notified of a bug with Yelp’s Facebook implementation earlier today, at which point all related functionality was temporarily shut down before the issue was exposed. Yelp immediately investigated the issue, and the implementation is now back up and running.’

Both companies reacted very quickly to resolve the issue, however the fundamental security problems still remain which may require rethinking as to how integrations like these are to occur.

Yelp attracts around 31 million users per month.

David : Editor and Founder of I also run a Social Media Agency where I do consulting work and Social Media Management. Connect with me: Twitter | LinkedIn | Facebook or contact me here. Alternatively, you can send me an email at