If you login to your Magento admin today, you are welcomed with message box that says:
CSRF Attack Prevention Read details !
Yesterday Magento team acknowledged CSRF vulnerability and provided solution in a form of tutorial to change admin path (frontName) of your Magento shop.
I find this approach strange and funny at the same time. Is hiding vulnerability new way of fixing it? Especially since some users of French Magento forums found similar problem in downloader (Magento connect manager). I can confirm this couse i tested it myself. The most funny part was that Magento cached my get request so i couldn’t get rid of my test alert box
Few fast tips for Magento admins:
1. Follow official Magento news, forums, updates.
2. Don’t click suspicious links. These kind of attacks are usually done through malformed links that admin clicks through mail, comment, or any other source.
3. Clear “saved passwords” from browsers. Since most web browsers offer to remember passwords, and then autocomplete them, these kind of attack could easily stole your password.