Shared publicly  - 
Alert: Cross Site Request Forgery!

Don't know what a CSRF is?
It's when people can get things done on a site - remotely, by using other people.

Please - read more about it on the Security Information Blog and protect yourself and yoursite.

Security Information Blog >>

Oh - and Share this afterwards so others can learn about it to.

#CSRF #security #antihack

Image sourced from :
Lyndon NA's profile photoPe lagic's profile photo
It's not a troll.
It's a good piece that shows what Cross Site Request Forgeries and similar attacks are, and how they work.

Personally I was shocked when I found out,
and more so when I tested it out for myself.
Yes - it does
It demonstrates a forged request
It also highlights a minor flaw in Googles processing of that request.
More importantly - it shows people that they need to be alot more careful about what they click, and what the possible consequences are.
Its a shortened url redirect, just that, and very very common on many social platforms.

ps I'm not a big fan of using such when it totally unnecessary, this is not twitter ;)

The Bitly is a short URL redirect.

After that you get the G Logout ... which processes without confirmation, without any form of validation, no use of nonce values, no referal checks etc.

Not just a simply short url and redirect.
Lyndon, look at the Set-Cookies headers > 01-Jan-1990
then X-XSS-Protection > 1; mode=block
Your point here is?

They have not supplied any form of protection against it.
Leaves me wondering what else is left wide open for such abuse?
1) Again - Not Trolling

2) Remote logout ... I suppose it's feasable... but unlikely.

Any system based interaction 9and I count login/logout amongst those) should be protected against CSRF.
Though it's nigh impossible to be 100% proof ... the simple inclussion/addition of Nonces goes a long way towards that.
(No, referer checks are basically useless - but any/every little bit that can be used could be used to make it that bit more work to abuse.)
Try >

AOL, Amazon, Blogger, Delicious, DeviantART, DreamHost, Dropbox, eBay, GitHub, GMail, Google, Hulu, Instapaper, Linode, LiveJournal, MySpace, NetFlix, New York Times, Newegg, Photobucket, Skype, Slashdot, SoundCloud, ThinkGeek, Threadless,Tumblr, Vimeo, Wikipedia, Windows Live, Woot, Wordpress, Yahoo!, YouTube and a few others ;)
+Thomas P. Bing made this change also a long while back, the reason being is that the images are increasingly cloaked and redirected ;(
Add a comment...