The real problem with CSRF vulnerabilities is that in most organisations, they're nobody's responsibility. The architects, designers and developers all think that security is someone else's problem. Like much security engineering, it's not that hard to design around but it does take a level of skill.

One of the reasons that companies don't bother with fixing their development process is that they can pass on the impact to the end user. If someone renamed your Heroku instance, that's your problem more than Heroku's. Sure they need to fix it, but if the numbers are small enough then it's worth the customer service cost to them whereas your site is gone until it's discovered.

It's great to see someone banging the drum about this. CSRF is incredibly common, mainly because if you don't know what it is your applications are vulnerable (you have to fully understand it in order to protect against it, and most engineers don't understand it). It makes for a good interview question :)

previous discussion here: http://news.ycombinator.com/item?id=3791281

Why are these threads getting killed so often ?

Impressed to see so many high profile sites on the list.