Now, I read this post from Ben Maynard's blog (which is a worthy read, by the way so add it to your RSS readers) - and you should too before you go any deeper into this post ...go ahead I'll wait ...
OK, so now let's talk about what just happened. Did you read the comments? All of them?
Ben not only sent the developer an email explaining what CSRF is but sent that same developer links and tried to explain the issue. This developer clearly "didn't get it". But ask yourself ...is this that rare?
Now, I'm going to post the comment that really got me fired up from Daniel Kerr (the dev from OpenCart)... check this out:
Daniel Kerr says:
to be honest. this just shows the type of person be is. he thinks hes found some big hack and when i tell him to to stop wasting my time he goes around posting my emails in forums and his blog. ben is a prat.
this sort of problem even today effects big sites like gmail, paypal. you really think everything is down to the person who writes the script? or the web user?
Say what?! I'd love to grab this Daniel by the shirt-collar and rub this ass-hat's face into the steaming pile of shit he just made for himself. Are you kidding me? Someone does your job of finding a security vulnerability in your code (a major one at that), politely tells you about it, and gives you resources to understand it better and you have the stones (or is it just ignorance now?) to call him names on his own blog?
What an asshole.
By the way, Ben went on to write his own patch for OpenCart ...and maintained it some. But then the developer went to an entirely new level of mental midget ...he apparently broke the patch in the update of the OpenCart code. *facepalm*
Now ... what have we learned from this experience? I don't know about you but what I'm learning is that developers just aren't going to get it... today, tomorrow or after we force mandatory "secure coding" education on them. They just don't get it. The discipline of software development apparently requires such full attention of your mind that you cannot even squeeze the very thought of writing your code with an ounce of prevention.
...and this, my dear friends, is why we in InfoSec drink...heavily.
So you think if we pooled our pennies we could buy this OpenCart idiot a clue?