Comment Re:Okay, I'll be the first to ask. (Score 1) 170
This exploit is different from XSS and is not new. It's called CSRF, Cross-Site Request Forgery. Web developers have known about it for several years. It's tricky to understand and potentially very dangerous, but there are remedies.
Because the problem and remedies are somewhat abstruse, casual or uninformed developers don't always take it into consideration. I'm actually a little surprised that the vast majority of commentators here seem to be unaware of it.
References:
http://getahead.org/blog/joe/2007/01/01/csrf_attac ks_or_how_to_avoid_exposing_your_gmail_contacts.ht ml
http://en.wikipedia.org/wiki/Cross-site_request_fo rgery
http://www.tux.org/~peterw/csrf.txt (from 2001!)
Because the problem and remedies are somewhat abstruse, casual or uninformed developers don't always take it into consideration. I'm actually a little surprised that the vast majority of commentators here seem to be unaware of it.
References:
http://getahead.org/blog/joe/2007/01/01/csrf_atta
http://en.wikipedia.org/wiki/Cross-site_request_f
http://www.tux.org/~peterw/csrf.txt (from 2001!)
