Cameo includes a security check to help prevent cross-site request forgery. This can occasionally show up as a “false-positive” – that is, you get a security message when there isn’t a problem. This post explains why this might happen.

It is quite easy for someone to construct a URL or create a plausible looking form which can visit, and send information to, some other website (such as Cameo). It is perhaps a bit harder to persuade someone to visit that link or fill in the form; nevertheless, it happens all the time. Of course, the attacker can’t just do this themselves, because they aren’t logged in. However, if they can fool you into following the link, they can do anything they like that you’d be able to do yourself, because you are doing it on their behalf.

To prevent this, whenever you send or request anything of the Cameo server, it also sends a pair of matching keys, generated when you log in. The attacker is not able to predict these (or get at them), so cannot include them in their fake request.

But to remain secure, the numbers need to be regenerated fairly often. This isn’t normally a problem. However, cookies (which store one of the magic numbers, by necessity) are common to all windows, while the other belongs to each window separately. Therefore it is possible for them to get out of step, for example if you have more than one window left open on Cameo, doing nothing, for several days.

This only happens for multiple windows in the same browser, not if you are logged on via different computers, as those don’t share common magic numbers. (However, doing this may invalidate any ‘remember me’ for your login, as these aren’t valid if accessed from a different IP address – logging in elsewhere will cancel your ‘remember me’ on a computer already logged in elsewhere).

All that needs doing if the CSRF protection is fired is to bring the window that is out of date into sync with the codes in the other window, and refreshing the contents of your errant window will do this.