NOW READ THIS
("Security Advisory")

Go Back

Submitted by: Bill Hickey
NCVA Listmaster

NRT-0633 CSRF vulnerabilities found on major Web sites:


Princeton University researchers recently discovered four major Web sites containing cross‑site request forgery (CSRF) vulnerabilities, according to an online news report. Three of the Web sites, INGDirect.com, YouTube, and MetaFilter, have addressed the issue, but the fourth, The New York Times, still harbored a CSRF flaw on its site that would let an attacker cull and abuse e‑mail addresses from online subscribers to the site.

The CSRF bug found on INGDirect.com represents one of the first publicly disclosed CSRF vulnerability on a bank Web site. "It is the first example of a CSRF attack that allows money to be transferred out of a bank account that I'm aware of," said Bill Zeller, a PhD candidate at Princeton who helped find the CSRF flaw.

The bug would have let an attacker move funds from the victim's account to another account opened in the user's name by the attacker. Use of an SSL session would not protect the user from such an attack. "Since ING did not explicitly protect against CSRF attacks, transferring funds from a user's account was as simple as mimicking the steps a user would take when transferring funds, according to the researchers' report.

In a CSRF attack, an attacker can force the user's browser to request a page or action without the user or the Web site recognizing that the request did not come from the actual legitimate user. CSRF is little understood in the Web development community, according to the report, and a very common vulnerability on Web sites.

The Princeton researchers also found CSRF vulnerabilities on YouTube that would let an attacker add videos to the user's favorites list, and send messages on behalf of the user.

The CSRF vulnerability on the MetaFilter blogging Web site would let an attacker set a user's e‑mail address to the attacker's e‑mail address and then take over the victim's account. The NY Times CSRF vulnerability lets an attacker grab e‑mail addresses of users registered on the NYTimes Web site and use them for spamming or find the e‑mail addresses of all users who visit an attacker's site after they are lured there by a fake e‑mail. This CSRF attack is particularly dangerous because of the large number of users who have NYTimes accounts and because the NYTimes keeps users logged in for over a year noted the Princeton researchers in their report. The researchers also found that the NY Times's new social‑networking Web site, TimesPeople, is also vulnerable to CSRF attacks.

(darkreading, 29SEP08; www.freedom-to-tinker.com)


Valid XHTML 1.0! Valid CSS! Counter Image
Last Modified: Sunday, 16-Nov-2008 09:04:58 EST