YouTube vulnerable in new forgery flaws

By

Silent but deadly attacks on four major sites have been revealed by researchers Ed Felten and Bill Zeller at Princeton University.

YouTube vulnerable in new forgery flaws
Silent but deadly attacks on four major sites have been revealed by researchers Ed Felten and Bill Zeller at Princeton University.

These attacks are known as cross site request forgery (CSRF) and have been known to allow an attacker to transfer money out of a victim’s bank account.

The researchers found four sites vulnerable to these attacks: ING, Youtube, MetfFilter and The New York Times, the latter being the only one still harbouring the CSRF flaw which allows email and address details to be accessed.

ING's vulberability was most worrisome as an attacker could transfer money from a customer's account into another account which the attacker opened in the victim's name. ING didn’t protect its site from these kinds of attacks and they can go completely unnoticed.

Youtube was found to have the flaw in the sense that an attacker could send messages acting on behalf of another user, which could potentially be offensive, Metafilter’s flaw allowed an attacker to take over a victim's account.

Both Youtube and MetaFilter have rectified this problem since being alerted to it by the Princeton researchers, The New York Times however, has not.

Zeller explains that, "The severity of the attacks we found illustrates that developers are not as familiar as they should be with these types of attacks"

The research has not only highlighted the problem, but has also come up with a deterrent – a plugin for Firefox to protect the client and the Code Igniter PHP server framework has been released, however this is limited as it only protects the users from cross-site POST requests.

Although these examples are a good start, this is only the tip of a very large iceberg – the problem won’t be resolved until people are more educated about CSRF attacks. µ

L'Inq

Freedom to Tinker
Got a news tip for our journalists? Share it with us anonymously here.
theinquirer.net (c) 2010 Incisive Media
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

International Criminal Court hit by cyber attack

International Criminal Court hit by cyber attack

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Log In

  |  Forgot your password?