"*Update (5/22/10): After reporting the flaw to Facebook Wednesday afternoon, I have confirmed as of Friday afternoon that the flaw has been successfully patched. Facebook now strictly enforces the existence of the “post_form_id” CSRF protection token in the request."
Put some middleware into your web framework that will insert a "secret" into all forms, which contains an unforgeable token generated by the page. Only accept form input when that secret token matches the expected value.
Django will do this for you; presumably other frameworks have similar mechanisms.
8 comments
[ 4.2 ms ] story [ 29.3 ms ] threadhttp://prominentsecurity.com/?p=119
It also says that the flaw has been patched:
"*Update (5/22/10): After reporting the flaw to Facebook Wednesday afternoon, I have confirmed as of Friday afternoon that the flaw has been successfully patched. Facebook now strictly enforces the existence of the “post_form_id” CSRF protection token in the request."
Django will do this for you; presumably other frameworks have similar mechanisms.
http://docs.djangoproject.com/en/dev/ref/contrib/csrf/