The real problem with CSRF vulnerabilities is that in most organisations, they're nobody's responsibility. The architects, designers and developers all think that security is someone else's problem. Like much security engineering, it's not that hard to design around but it does take a level of skill.
One of the reasons that companies don't bother with fixing their development process is that they can pass on the impact to the end user. If someone renamed your Heroku instance, that's your problem more than Heroku's. Sure they need to fix it, but if the numbers are small enough then it's worth the customer service cost to them whereas your site is gone until it's discovered.
It's great to see someone banging the drum about this. CSRF is incredibly common, mainly because if you don't know what it is your applications are vulnerable (you have to fully understand it in order to protect against it, and most engineers don't understand it). It makes for a good interview question :)
casca|14 years ago
One of the reasons that companies don't bother with fixing their development process is that they can pass on the impact to the end user. If someone renamed your Heroku instance, that's your problem more than Heroku's. Sure they need to fix it, but if the numbers are small enough then it's worth the customer service cost to them whereas your site is gone until it's discovered.
simonw|14 years ago
meow|14 years ago
Why are these threads getting killed so often ?
pg|14 years ago
http://news.ycombinator.com/item?id=3791403
http://news.ycombinator.com/item?id=3789673
stefantalpalaru|14 years ago
Tichy|14 years ago