You guys are absolutely right. The line "the hacker now has access to Joe's back-end data" with respect to GET requests is very misleading in this example.
Allow me a little justification, in my defense.
At a previous company, we were CSRF hacked as follows:
some of our GET endpoints had side effects, which allowed the phisher to do actions on the client's account
we have a suite of REST endpoints for mobile clients, which the phisher was able to use because CORS can't be applied
we had a JS injection vulnerability that was exploited using POST, where XmlHttpRequest was sent using ENCTYPE - not sure on the details
So in our case, the phisher had full access to client data, which is not the case with SIMPLES.COM.
You guys are absolutely right. The line "the hacker now has access to Joe's back-end data" with respect to GET requests is very misleading in this example.
Allow me a little justification, in my defense.
At a previous company, we were CSRF hacked as follows:
So in our case, the phisher had full access to client data, which is not the case with SIMPLES.COM.
Thank you all. I'll edit the post appropriately.
*hangs head in abject shame
There is no shame in correcting a mistake. I'm sure I've made my fair share of them in writing. :)