

Hackers Can Delete Facebook Friends, Thanks to Flaw - JeanPierre
http://www.pcworld.com/businesscenter/article/196901/hackers_can_delete_facebook_friends_thanks_to_flaw.html

======
snewe
Original story without the splash page:

<http://prominentsecurity.com/?p=119>

It also says that the flaw has been patched:

"*Update (5/22/10): After reporting the flaw to Facebook Wednesday afternoon,
I have confirmed as of Friday afternoon that the flaw has been successfully
patched. Facebook now strictly enforces the existence of the “post_form_id”
CSRF protection token in the request."

------
hanksims
If only deleting one's own account were this easy! I wonder how many people
took useful advantage of this hole to commit mutual Facebook suicide.

------
baby
it's a typical programmer mistake. So how do I avoid it ?

~~~
nostrademons
Put some middleware into your web framework that will insert a "secret" into
all forms, which contains an unforgeable token generated by the page. Only
accept form input when that secret token matches the expected value.

Django will do this for you; presumably other frameworks have similar
mechanisms.

<http://docs.djangoproject.com/en/dev/ref/contrib/csrf/>

------
gcr
%s/hacker/cracker/g

~~~
jonursenbach
Potato, potato.

~~~
gcr
By your logic, we might as well call it 'cracker news'.

