Social network/messaging application Fring has an unpatched CSRF vulnerability. I especially love reading the time line. Apparently Fring said that they were already working on the problem…before they knew what the problem was.
From quine.dreamwidth.com:
The script that handles the request (to mark one’s profile as “private” or “public”) is vulnerable to cross-site request forgery (CSRF) [1] [2], and so a user, authenticated to Fring, may unknowingly set their profile privacy status to an undesired value. For example, if this user had a private Fring profile, and they were lured to a site containing malicious JavaScript, their profile could be set to “public” without their knowledge or consent.
I’d say that’s something that I would hope they would get fixed in short order.
For more on this one read on.
(Image used under CC from Piutus)