Cameo includes a security check to help prevent cross-site request forgery. This can occasionally show up as a “false-positive” – that is, you get a security message when there isn’t a problem. This post explains why this might happen.

It is quite easy for someone to construct a URL or create a plausible-looking form which can visit, and send information to, some other website (such as Cameo). It is perhaps a bit harder to persuade someone to visit that link or fill in the form; nevertheless, it happens all the time. Of course, the attacker can’t just do this themselves, because they aren’t logged in. However, if they can fool you into following the link, they can do anything they like that you’d be able to do yourself, because you are doing it on their behalf.

To prevent this, whenever you send to or request anything from the Cameo server, it also sends a pair of matching keys, generated when you log in. The attacker is not able to predict these (or get at them), so cannot include them in their fake request.

But to remain secure, the numbers need to be regenerated fairly often. This isn’t normally a problem. However, cookies (which store one of the magic numbers, by necessity) are common to all windows/tabs, while the other belongs to each separately. Therefore it is possible for them to get out of step: for example, if you have more than one window left open on Cameo, doing nothing, for several days.

This only happens for multiple windows or tabs in the same browser, or if you have left the login page open for a long time, not if you are logged on via different computers, as those don’t share common magic numbers.

All that needs doing if the CSRF protection is fired is to bring the window that is out of date into sync with the codes in the other window, and refreshing the contents of your errant window will do this.