Yesterday a couple of ‘researchers’ published that a couple of major sites were vulnerable to CSRF. A general rule of thumb is that unless you are explicitly protecting against CSRF, or are accidentally protected, then you’re vulnerable. CSRF in 2008 is what XSS was in 2002, somewhat understood and rarely protected against properly. Generally I hate it when the media/industry people sensationalize a
known issue, however feel that letting people know that this issue is
common is important (even though there is no new research/data published) hence the post.
From the article
"ING, YouTube, and MetaFilter all have since fixed these vulnerabilities after being alerted to them by the researchers, but as of press time, the fourth, The New York Times, still harbored a CSRF flaw on its site that would let an attacker cull and abuse email addresses from online subscribers to the site. "
Darkreading article: http://www.darkreading.com/document.asp?doc_id=164854&WT.svl=news1_1
CSRF FAQ: http://www.cgisecurity.com/articles/csrf-faq.shtml
