I seem to remember these types of exploits being a problem in the past.  yak, you remember this discussion we had about a generic security function to pass arguments from any sort of user interaction which requires you to be logged in on the site? I'm not a web coder by any means (man do I hate web coding, call me old-fashioned), but I would have assumed that the least you guys could've done was to add a HTTP_REFERER check on the links which provide user actions or something.

This needs to be done for basically every single link-based action the site provides to logged-in users. Watches, faves, submission and journal removal, all of it. And you should probably throw in some other shit for good measure (sorry, again, I don't typically deal in web security but even to me the referrer stuff seems obvious) if you do end up writing a function to handle all the link-based actions. Pass them all to a single function first, then call the function on the server-end where necessary. That will reduce the potential issues you may have from these things in the future to a single point of failure, and you can adjust security in the calling function accordingly. A simple sanity check is probably a good idea with input boxes/things that utilize HTTP_POST data too, but I wouldn't expect it to be handled by the same calling procedure, just that you guys make sure to tell your coder(s) to have ALL user interactions first go through a single security procedure (or procedure type) first so that you don't accidentally "miss" one when you fix fuckups like this in the future.

One of the reasons I'm prompted to mention this is because even after  dragoneer put out damage control PR, the exploit is still all over the place, and it's not just about hidden comments. Any of you guys ever wonder why  lexyeevee is getting tons of watches lately? (That's also kinda why I'm not linking to his journal entry explaining this, since all of you guys who are still reading up to this point already know about it)

One last thing; killing the messenger might serve as short-term damage control but I thought you guys should know by now that it does not do anything to alleviate the underlying problem. The toothpaste is already out of the tube, now that people know this exploit exists. It's just a matter of who decides to use it and for what purpose. You guys are all fucked until all cross-site request forgeries are fixed, for as long as FA remains online.

I think Eevee (perhaps) hadn't learned the lesson the rest of us had back in the day about finding exploits in FA -- never do your own dirtywork and all that. If it were me, I'd simply warn you guys about going public with the information and wash my hands of any responsibility as to what would come of it. Realistically, the ball was still in your guys' court, but because Eevee himself decided to demonstrate the exploit to you, you decide to ban him, just like you did with the other guys before him ('sup, nrr). Would you really prefer an instruction manual to such exploits to be posted publicly instead in the future, and wait for a really bad dude to utilize it? Y'all should've hopped on the damn bus right away, before there was an opportunity to wreck havoc, and yet, I'm still posting here while pretty much all of these exploits are still exploitable.

(And a warning to anyone else thinking of using link forgery: The admins are watching, and will ban you for any shenanigans, so don't do it, even if it's funny or their fault for not fixing the fucking thing by now and is as easy as posting a link in an <img> tag )