Author: Harry Wood
[Added to the original trac issue at 9.23pm, Tuesday, 14th August 2012]

I should add that I've just posted this trick in IRC, and made 12 new friends as a result. So the information is out there, which maybe makes this more urgent. ...although obviously accidental friending is quite low impact.

Author: TomH
[Added to the original trac issue at 9.37pm, Tuesday, 14th August 2012]

Well it's out there now pillock! Thanks for turning a minor issue into a major emergency!

Author: TomH
[Added to the original trac issue at 10.07pm, Tuesday, 14th August 2012]

I've pushed a change to make this use POST as an emergency fix. It breaks the links in the friend notification emails, but I will fix that tomorrow.

Author: Harry Wood
[Added to the original trac issue at 10.53am, Wednesday, 15th August 2012]

Yeah sorry I didn't really consider this to be a big deal and I wanted to prove (mainly to myself) that it would work, so needed to fish for some clicks on IRC, all of which I did before even raising the trac ticket in the first place. Only afterwards I realised I might've created a problem by telling a few people about it. Sorry about that. It was only a few people though

Not wanting to wind you up more Tom, but you do know your fix is not working? friending/unfriending functionality is currently broken? (Links on the site currently take you to 'not found' URLs)

Author: TomH
[Added to the original trac issue at 11.09am, Wednesday, 15th August 2012]

As I said:

"It breaks the links in the friend notification emails, but I will fix that tomorrow."

So links on the site should work (because rails will generate JS that does a POST when you click) but random links elsewhere like in the email will not work yet.

Author: Harry Wood
[Added to the original trac issue at 11.41pm, Wednesday, 15th August 2012]

OK I see it's all fixed now ....after a brief re-opening of the vulnerability for a little while this evening if I'm not mistaken :-)