[wp-hackers] Rethinking check_admin_referer()
Matt Mullenweg
m at mullenweg.com
Wed Apr 19 17:31:38 GMT 2006
Elliotte Harold wrote:
>> Well, it's the same with doors and locks: the chance that someone will
>> exploit my unlocked door is infinitesimal.
>
> Only because no one's yet built a robot to quickly scan all doors in the
> neighborhood to see which are unlocked. The problem's quite a bit more
> serious for WordPress. :-(
I have never heard of a worm exploiting a distributed application
through CSRF. It would be pretty difficult, and likely die.
If a worm were created, its best attack vector would be through
comments. We could blog about it to warn people, since it's mostly a
social hack education would help the most, and they could also be
blocked by Akismet. In the event of an emergency, we have plenty of ways
to contact people: through blogs, through the dashboard, mailing lists,
and the one-way announcement list.
Social hacks will always be the most successful. The most common false
false postives on Akismet are the ones asking where the RSS feed is, or
complimenting the webmaster on their design. Remember the Windows thing
that would tell people if there was a certain file in their system32
directory they had spyware/virus, and went over the 20 steps to find and
remove it?
Anyway, we're off-topic.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
More information about the wp-hackers
mailing list