Create an Account
username: password:
 
  MemeStreams Logo

Rattle killed it!

search

Acidus
Picture of Acidus
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Acidus's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
Rattle killed it!
Topic: Technology 5:33 pm EST, Feb 15, 2007

Well, its over. Memestreams now has a cron job running every 2 minutes which deletes the "I like it old-school!" posts that got posted to a user's blog without their permission when they clicked on a link. Welcome to the wonderful world of the XSRF attack.

Originally, the hyperlink that caused a user to make the post was in the SRC of an image. This means simply looking at an HTML page with the image would make a user create a new post. Every time they looked at the page. Once this image attack reached the front page. everyone would be owned, and every time they refreshed the page, they would get owned again. I almost took down my Memestreams dev box with the flood of hits against the database.

Anyway, thanks to Tom and Nick for letting me do this. I found the vuln a few weeks back, and when we roll out the site update in a few days, it will be fixed.



 
 
Powered By Industrial Memetics
RSS2.0