Security bug on ohloh.. (pretty big one too..)

3 months ago

Hi,

I just noticed ohloh.net has a crossdomain file (http://www.ohloh.net/crossdomain.xml) with no restrictions.

By doing so you just enabled a big CSRF security hole, pretty much allowing any flash app performing actions on your users' behalf.

It is strongly adviced to create a separate domain for your api's (e.g.: api.ohloh.net) and not enabling any cookies there..

Hope this helps, Evert

2 months ago

Until we have time to properly implement Flash support for the Ohloh API in a secure way, we've decided to drop the crossdomain.xml file.

I hope this isn't a terrible disruption for anyone, but technically this is the only good option for us right now.