[ronnier]

I don't understand the negative response towards CSRF exploits. They are real and they are dangerous.

[ryanlol]

The negative response tends to be against the super low impact ones, such as this.

I have to agree with the GP, blogging about an issue like this just seems tacky.

The reactions would undoubtedly be different if it was a practically exploitable CSRF, like something that allows you to change users email addresses.

[krapp]

If this had been reported in any other web application, everyone here would be calling the developers morons.

[ChristianBundy]

If it's such a low-hanging fruit why don't you prove it?

[totony]

How would you go about proving that?

[ubernostrum]

It's more that if literally any other site on the internet were found to have any type of CSRF vulnerability, people here would be going on and on and on about how this is web dev 101, only a complete idiot wouldn't know about/secure against CSRF attacks, etc.

Whereas here, when it's HN with a CSRF issue, "eh, it would break some third-party clients if we patched this".

[dang]

Tell me more about this world in which HN's users shield its developers from criticism.

We fixed the reported vulnerability and have a fix for the remaining issue ready if it's needed. There's no "eh" here; it's a question of what the right tradeoff is.

[ubernostrum]

Well, I don't see people insulting you the way they would if it were another site...

And I don't see people calling out the "breaks third-party clients" justification for not rolling out the full fix.

[dang]

Since you're a "people here", your comments disprove themselves.

A phrase like "calling out" assumes that it's obvious what we should do. It's not obvious; the parts that were obvious are done. Our goal is to do what's best for the community, not to avoid getting criticized on the internet.