Memes, lies and hysteria - Grin with cat attached
|Memes, lies and hysteria||Jun. 12th, 2004 08:29 pm|
It is not a browser bug, it is a flaw in the way LJ (and many other sites) use permanent cookies to handle non-expiring logins. The scheme used by such sites prevents anyone but the user from *seeing* anything personal to them, but not from submitting data *as* that user.
The only really suprising thing about this flaw is that it has taken this long for anyone to realise its potential or exploit it as an attack. The onus to fix it is on the affected sites, which need to take steps to confirm that only their own forms are accepted for submission where there is an impersonation risk. This can be acheived fairly easily at the design stage by inserting per-user secrets into forms. As such phase.org's code is now protected against such attacks (although, due to its more paranoid security mearures, it was never as vulnerable).
Naturally it's bit more of a bugger to retro-fit to an existing site.
A blanket block against cross-site form submission is not going to help; in fact various sites (eg First Direct's Internet Banking Plus) use it quite legitimately. The need is to fix the problem in the sites, not the functionality in the browser.