undefined | Better HN

0 pointsndriscoll7mo ago0 comments

If the user did not intend to do the action that the malicious site had their browser perform for their account, it is by definition CSRF. The other site forged a request from the user.

Facebook might not care, but it is obviously a vulnerability. Sites can forge likes from users (which IIRC appear on timelines?).

0 comments

bawolff7mo ago

> Facebook might not care

Facebook does care. Allowing like buttons on third party sites was (at least historically) a major part of their business. Its not like they are just being apathetic here - they actively want people to be able to like things from outside of facebook and put in effort to make that happen.

ndriscollOP7mo ago

They're clearly aware of the vulnerability if they close accounts for exploiting it. Techniques to prevent it are well-known and allegedly they have lots of skilled engineers. But those techniques would increase friction a little bit, so they've evidently decided they don't care about the vulnerability.

fc417fc8027mo ago

Seems less like a vulnerability and more like a violation of ToS. Doesn't each involved party have an account? Is there a way for an otherwise unrelated third party to exploit this?

bawolff7mo ago

Its not that techniques are known to prevent this issue. It is prevented by default. Facebook has to take active steps to make this work. If they did nothing there would be no vulnerability.

j / k navigate · click thread line to collapse

0 pointsndriscoll7mo ago0 comments

If the user did not intend to do the action that the malicious site had their browser perform for their account, it is by definition CSRF. The other site forged a request from the user.

Facebook might not care, but it is obviously a vulnerability. Sites can forge likes from users (which IIRC appear on timelines?).

0 comments

bawolff7mo ago

> Facebook might not care

ndriscollOP7mo ago

fc417fc8027mo ago

Seems less like a vulnerability and more like a violation of ToS. Doesn't each involved party have an account? Is there a way for an otherwise unrelated third party to exploit this?

bawolff7mo ago

Its not that techniques are known to prevent this issue. It is prevented by default. Facebook has to take active steps to make this work. If they did nothing there would be no vulnerability.

j / k navigate · click thread line to collapse