Hacker News new | past | comments | ask | show | jobs | submit login

Both Michal Zalewski[1] and Chris Evans[2] have commented on this, and I tend to agree with them. The actual implications for a CSRF like this are very minimal.

[1] https://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not... [2] http://scarybeastsecurity.blogspot.com/2010/01/logout-xsrf-s...




The implications for HN are minimal, but this is a login CSRF, not a logout CSRF. Like session fixation, login fixation is a serious flaw.

Believe it or not, there have been apps with serious flaws stemming from logout fixation --- but those flaws were notable because they weaponized logout CSRF. :)


What exactly is "logout fixation"? Session/login fixation makes sense, but I can't really imagine what logout fixation would look like. Google was of no help, either. Do you mean a logout function which doesn't properly log you out, or logout CSRF?


Sorry, that's a typo. I meant "logout CSRF".


Gotcha.


I agree that depending on the context session fixation and login CSRFs can have actual security impact, but those cases are far and few between, so calling them a "serious flaw" feels a bit hyperbolic to me.


Gmail account contacts were stolen in a CSRF attack (combined with another vulnerability). This type of attack is often overlooked, but it's very real.

http://archive.oreilly.com/pub/post/gmail_exploit_contact_li...


As far as I can tell that particular vulnerability isn't a CSRF at all, it's an insecure JSONP endpoint[1]. The original author is mistaken.

[1] http://homakov.blogspot.com/2013/02/are-you-sure-you-use-jso...


CSRF attacks are very real, but the impact is generally taken into account before calling things a "vulnerability".

e.g you can have a SQL injection that's not a vulnerability because the input passes through a substr($_GET["id"],1,1).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: