Original story without the splash page:<p><a href="http://prominentsecurity.com/?p=119" rel="nofollow">http://prominentsecurity.com/?p=119</a><p>It also says that the flaw has been patched:<p>"*Update (5/22/10): After reporting the flaw to Facebook Wednesday afternoon, I have confirmed as of Friday afternoon that the flaw has been successfully patched. Facebook now strictly enforces the existence of the “post_form_id” CSRF protection token in the request."