Silent but deadly attacks on four major sites have been revealed by researchers Ed Felten and Bill Zeller at Princeton University.
These attacks are known as cross site request forgery (CSRF) and have been known to allow an attacker to transfer money out of a victim’s bank account.
The researchers found four sites vulnerable to these attacks: ING, Youtube, MetfFilter and The New York Times, the latter being the only one still harbouring the CSRF flaw which allows email and address details to be accessed.
ING's vulberability was most worrisome as an attacker could transfer money from a customer's account into another account which the attacker opened in the victim's name. ING didn’t protect its site from these kinds of attacks and they can go completely unnoticed.
Youtube was found to have the flaw in the sense that an attacker could send messages acting on behalf of another user, which could potentially be offensive, Metafilter’s flaw allowed an attacker to take over a victim's account.
Both Youtube and MetaFilter have rectified this problem since being alerted to it by the Princeton researchers, The New York Times however, has not.
Zeller explains that, "The severity of the attacks we found illustrates that developers are not as familiar as they should be with these types of attacks"
The research has not only highlighted the problem, but has also come up with a deterrent – a plugin for Firefox to protect the client and the Code Igniter PHP server framework has been released, however this is limited as it only protects the users from cross-site POST requests.
Although these examples are a good start, this is only the tip of a very large iceberg – the problem won’t be resolved until people are more educated about CSRF attacks. µ
Freedom to Tinker
YouTube vulnerable in new forgery flaws
By Emma Hughes on Oct 1, 2008 10:46AM