Friday, 6th May 2005
Fighting RFCs with RFCs
Google’s recently released Web Accelerator apparently has some scary side-effects. It’s been spotted pre-loading links in password-protected applications, which can amount to clicking on every “delete this” link — bypassing even the JavaScript prompt you carefully added to give people the chance to think twice.
[... 353 words]URIs, Addressability, and the use of HTTP GET and POST. A comprehensive, if slightly dry, overview of the issue.
Cross-site request forgery (CSRF). Somehow this vulnerability is news to me.