June 12th, 2008
What Mislav exploited was the fact that Working With Rails didn’t require a POST request to create recommendations, so just by visiting his blog you’d inadvertadly recommend him (if you were logged into WWR).
In less than 24 hours Mislav got enough recommendations to boost his raking by 10 places.
WWR fixed that particular hack, they disallowed GET requests to the create action, only allowing POST ones.
However, they certainly haven’t solved the problem. It’s possible to make cross site POST requests without the user actively submitting a form. This script I made creates an iframe with a form inside, and submits the form. So, without a user realizing it, they’ve recommended me on WWR (I haven’t used it in this site btw).
It just shows that it’s fundamentally important to use a form authentication token (which Rails 2 now does by default) to prevent CSRF.
And, it’s worth bearing in mind that an open crossdomain.xml file would make any CSRF protections absolutely worthless, since you could go and grab that form authentication token with Flash.