MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: Rattle killed it!. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Rattle killed it!
by Acidus at 5:33 pm EST, Feb 15, 2007

Well, its over. Memestreams now has a cron job running every 2 minutes which deletes the "I like it old-school!" posts that got posted to a user's blog without their permission when they clicked on a link. Welcome to the wonderful world of the XSRF attack.

Originally, the hyperlink that caused a user to make the post was in the SRC of an image. This means simply looking at an HTML page with the image would make a user create a new post. Every time they looked at the page. Once this image attack reached the front page. everyone would be owned, and every time they refreshed the page, they would get owned again. I almost took down my Memestreams dev box with the flood of hits against the database.

Anyway, thanks to Tom and Nick for letting me do this. I found the vuln a few weeks back, and when we roll out the site update in a few days, it will be fixed.

RE: Rattle killed it!
by Rattle at 8:25 pm EST, Feb 15, 2007

Acidus wrote:
Well, its over. Memestreams now has a cron job running every 2 minutes which deletes the "I like it old-school!" posts that got posted to a user's blog without their permission when they clicked on a link. Welcome to the wonderful world of the XSRF attack.

It only deletes them from the main page. They were getting to the point where they were more than half of the main page. They are not being deleted from users' blogs, and they are still clogging up user's agent views. I figured I'd still let you have some fun...