A vulnerability in the Facebook Application API allows the construction of a malicious Facebook application that collects user's personal information including: Full name, profile picture and friends list. Full name and picture of the friends are also accessible. The information is collected without user knowledge or consent. It is possible to launch the attack via an HTML IMG tag which greatly increases the severity of the breach because there is no need to have the user access the attacker's site. Instead, any online blog or forum that allows IMG tags in comments can be used. The user needs only to load the relevant page to launch the attack. The attack elegantly ends with a valid image so the page renders normally, and the attacked user does not notice that anything peculiar has happened This amounts to a unique kind of CSRF attack in which both the user's browser is tricked into performing an action without user consent (divulging personal information), and the attacker's server is the direct recipient of this action (via the Facebook app server). Demonstration and discussion of the attack: http://blog.quaji.com/2009/07/facebook-personal-info-leak.html Full disclosure and details: http://blog.quaji.com/2009/08/facebook-csrf-attack-full-disclosure.html The specific vulnerability used here has just been patched by Facebook, but it's likely that it is still possible to launch this type of attack using other mechanisms and other social networks. Ronen Zilberman http://quaji.com