http://simonwillison.net/2008-09-29T13:11:23+00:00Simon Willison2008-09-29T13:11:23+00:002008-09-29T13:11:23+00:00https://simonwillison.net/2008/Sep/29/popular/#atom-tag

<blockquote cite="http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks"><p>We've found CSRF vulnerabilities in sites that have a huge incentive to do security correctly. If you're in charge of a website and haven't specifically protected against CSRF, chances are you're vulnerable.</p></blockquote> <p class="cite">&mdash; <a href="http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks">Bill Zeller</a></p> <p>Tags: <a href="https://simonwillison.net/tags/bill-zeller">bill-zeller</a>, <a href="https://simonwillison.net/tags/csrf">csrf</a>, <a href="https://simonwillison.net/tags/security">security</a></p>

2008-09-29T13:08:52+00:002008-09-29T13:08:52+00:00https://simonwillison.net/2008/Sep/29/csrf/#atom-tag

<p><strong><a href="http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks">Popular Websites Vulnerable to Cross-Site Request Forgery Attacks</a></strong></p> Ed Felten and Bill Zeller announce four CSRF holes, in ING Direct, YouTube, MetaFilter and the New York Times. The ING Direct hole allowed transfer of funds out of a user’s bank accounts! The first three were fixed before publication; the New York Times hole still exists (despite being reported a year ago), and allows you to silently steal e-mail addresses by CSRFing the “E-mail this” feature. <p>Tags: <a href="https://simonwillison.net/tags/bill-zeller">bill-zeller</a>, <a href="https://simonwillison.net/tags/csrf">csrf</a>, <a href="https://simonwillison.net/tags/ed-felten">ed-felten</a>, <a href="https://simonwillison.net/tags/ingdirect">ingdirect</a>, <a href="https://simonwillison.net/tags/metafilter">metafilter</a>, <a href="https://simonwillison.net/tags/new-york-times">new-york-times</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/youtube">youtube</a></p>