Security Review

2012-04-02 by tamberg

You might have noticed that changing your account password now requires you to re-enter your old one. This helps to prevent cross-site request forgey. CSRF attacks are possible because Javascript code is allowed to post an HTML form to sites of a different origin without violating the browser's same origin policy. If you are signed in, the browser happily adds a valid authentication cookie of the targeted site to the malicious post request. All this was pointed out to us during a security review of the Yaler relay and Web site. Of course, is not Facebook and the chances of such an attack are rather small. Still, we immediately fixed the vulnerability to keep access to your data and devices as safe as possible.