OkCupid had a CSRF vulnerability (via) Good write-up of a (now fixed) CSRF vulnerability on OkCupid. Their site worked by POSTing JSON objects to an API. JSON POSTs are usually protected against CSRF because they can only be sent using fetch()
or XMLHttpRequest
, which are protected by the same-origin policy. Yan Zhu notes that you can use the enctype="text/plain"
attribute on a form (introduced in HTML5) and a crafty hidden input element with name='{"foo":"' value='bar"}'
to construct JSON in an off-site form, which enabled CSRF attacks.
Recent articles
- Recreating the Apollo AI adoption rate chart with GPT-5, Python and Pyodide - 9th September 2025
- GPT-5 Thinking in ChatGPT (aka Research Goblin) is shockingly good at search - 6th September 2025
- V&A East Storehouse and Operation Mincemeat in London - 27th August 2025