CSRF – yet another security issue you should worry about NOW.

Read this.

CSRF (wikipedia), a cross-site request forgery, is one of the most recent and under-publicized attacks on the web. It boils down to a user browsing to a web site, downloading a web page, and unknowingly, submitting requests to other web servers, usually with malicious intent. The example linked above demonstrates a hack where a specially crafted URL is formed that actually changes the settings on a common DSL router used in Mexico (by relying on the fact the user name/password combination is well known and unlikely to have changed).

If you allow user input in a web application our on a web site (even as part of a forum or blog comments), you could be unwittingly providing hackers a friendly spot in which they can inject these well-formed, but malicious URLs to be hosted. Unfortunately, they’re very difficult to track down.

I moderate all comments on my web site so that no unwanted links become published.

But, if you write software — consider all avenues of data entry, etc. Trust NO INPUT. Don’t trust the data that is in your database. Assume that it has been compromised. Assume nothing.