CSRF Attack Prevention

If you login to your Magento admin today, you are welcomed with message box that says:

CSRF Attack Prevention Read details !

Yesterday Magento team acknowledged CSRF vulnerability and provided solution in a form of tutorial to change admin path (frontName) of your Magento shop.

I find this approach strange and funny at the same time. Is hiding vulnerability new way of fixing it? Especially since some users of French Magento forums found similar problem in downloader (Magento connect manager). I can confirm this couse i tested it myself. The most funny part was that Magento cached my get request so i couldn’t get rid of my test alert box

Few fast tips for Magento admins:

1. Follow official Magento news, forums, updates.

2. Don’t click suspicious links. These kind of attacks are usually done through malformed links that admin clicks through mail, comment, or any other source.

3.  Clear “saved passwords” from browsers. Since most web browsers offer to remember passwords, and then autocomplete them,  these kind of attack could easily stole your password.

By Ivan Weiler from Inchoo.net

Related posts:

1. Designer’s Guide to Magento PDF download
2. Disabling wishlist functionality
3. Moving / Removing Callouts on the left / right columns
4. Adding simple Tweet this for Magento products
5. Simple random banner rotator in Magento using static blocks