> Twitter allowing updates through the API via IFRAMES and GET
Total amateurs. I hope those guys didn't have the guts to say anything about diaspora. Because disallowing GET updates is, like, third page on network security book.
It is also an error to assume that disallowing GET for updates adds any security. I recommend reading about cross site request forgery. CSRF is the type of attack used on Twitter today.
Yes, you did. You said that not allowing GET requests to change data on a site is commonly covered in network security books. It's not a security issue, it's a behavior issue. GET requests are supposed to "safe" in that they don't result in changing any data on the site[1]. Breaking that expectation can result in all sorts of unintended consequences, such as unintended changes caused by link prefetching.
The article is also subtly wrong. GET requests can be protected from CSRF attacks. There just isn't ever a reason to do that if you're doing things right.
1. "Never said it did prevent CSRF" -- probably should have clarified.
2. You're arguing about semantics. CSRF is a security issue. Being able to send updates without user's knowledge is a security hole too. Backed up by a wrong behaviour if you wish. I should never forget that HN is a Serious Business.
None of the above mentioned makes twitter guys any less lame.
