This bit me in the ass once and I learned my lesson.
I was working at a social networking startup and I created a Groups feature which allowed users to create their own groups with a forum and a photo gallery and a member list, news feed and so on.
Then one day a user sent us an email claiming her group was displaying erratic behavior (users randomly banned, posts randomly deleted, etc). It took us weeks to figure it out, but our ops guy eventually helped us track it down to Google Web Accelerator, which was pre-fetching URLs displayed on the page via GET (links labeled "Ban" and "Delete").
This unintentionally effected a similar "Confused Agent" exploit since the app was misusing HTTP in precisely the manor described in this post.
Google Web Accelerator has since been discontinued for precisely this reason.
I was working at a social networking startup and I created a Groups feature which allowed users to create their own groups with a forum and a photo gallery and a member list, news feed and so on.
Then one day a user sent us an email claiming her group was displaying erratic behavior (users randomly banned, posts randomly deleted, etc). It took us weeks to figure it out, but our ops guy eventually helped us track it down to Google Web Accelerator, which was pre-fetching URLs displayed on the page via GET (links labeled "Ban" and "Delete").
This unintentionally effected a similar "Confused Agent" exploit since the app was misusing HTTP in precisely the manor described in this post.
Google Web Accelerator has since been discontinued for precisely this reason.
http://webaccelerator.google.com/webmasterhelp.html