

Hacking Google Calendar - dfield
http://nealpoole.com/blog/2010/11/google-vulnerability-reward-program-google-calendar-csrf/

======
mcs
I wonder how many other sites put in CSRF tokens but don't validate.

~~~
mike-cardwell
For every one of these websites, there are probably 10,000 that don't do any
CSRF checking at all.

------
jrockway
Very odd that they included XSRF tokens but did not validate them.

~~~
nbpoole
Yeah, that was what I thought too. It was a very weird situation. And it was
the only one of its kind that I found: I found other vulnerabilities, but none
where CSRF tokens were presented but not validated.

Edit: I should clarify that this is my blog post ;)

------
xtacy
Another interesting point is the generation of unique IDs that weren't
cryptographic. The uid in src=<uid> shouldn't be guessable, right? It looks
like it just went a simple transformation that was easily reversible.

On the other hand, if the CSRF tokens were validated, the uid field needn't be
guessable.

