Fixed Users can be tricked into marking content read without actually reading it

Affected version


Well-known member
Post the URL to an unread thread as [img] and view the contetn containing this BBCode

Expected Result
The attacked thread is not marked read as the user never really read it

Actual Result
XF accepts the request issued by the browser and marks the thread read

Suggested Mitigation
Prevent GET requests initiated by images from marking content read, maybe also do not change online location in this case


XenForo developer
Staff member
We have resolved this in 2.2. This approach was taken because it's a fairly complicated fix and the consequences of a false positive match essentially means that all threads (and some other bits) become unviewable.

The only real way to detect this is through heuristics based on the Accept header. Each browser has a distinct set of data that they pass through for this, and its contents differ in various scenarios. Hence, a false positive certainly is possible, though it's not something we've run into yet.