On Mon, Feb 15, 2010 at 6:21 PM, Josh Fraser <[email protected]> wrote:
> The vulnerability here > is if someone wants to screw with you, all they would need to do is > subscribe to the same feeds, wait for them to be updated and then > respond with a fake unsubscribe notice that looks like it's from you. > The verification step is important. It's a bad idea to drop it. > I think you're assuming that the unsubscribe request will be a separate POST initiated from the subscriber to the hub. I'm suggesting that when the hub sends an update POST to the subscriber, that the subscriber responds to that same HTTP Post with an "unsubscribe" text with status 200 (as opposed to the normal case of responding with 200 and an empty body). What I think you're referring to, which is a request initiated by the subscriber and sent to the host is what we have in the specs already, and in that case the verification is definitely required.
