8 comments

[ 4.2 ms ] story [ 29.3 ms ] thread
%s/hacker/cracker/g
Potato, potato.
By your logic, we might as well call it 'cracker news'.
Original story without the splash page:

http://prominentsecurity.com/?p=119

It also says that the flaw has been patched:

"*Update (5/22/10): After reporting the flaw to Facebook Wednesday afternoon, I have confirmed as of Friday afternoon that the flaw has been successfully patched. Facebook now strictly enforces the existence of the “post_form_id” CSRF protection token in the request."

If only deleting one's own account were this easy! I wonder how many people took useful advantage of this hole to commit mutual Facebook suicide.
it's a typical programmer mistake. So how do I avoid it ?
Put some middleware into your web framework that will insert a "secret" into all forms, which contains an unforgeable token generated by the page. Only accept form input when that secret token matches the expected value.

Django will do this for you; presumably other frameworks have similar mechanisms.

http://docs.djangoproject.com/en/dev/ref/contrib/csrf/