Four Major Sites Vulnerable To CSRF !

Four leading websites were or are vulnerable to Cross Site Request Forgery (CSRF) attack according to Princeton University researchers. While ING Direct, YouTube and Metafilter have taken action to address the cross-site-request-forgery (CSRF) vulnerabilities, the fourth site, belonging to The New York Times, has not been fixed !

CSRF flaws can be exploited so a user’s browser is hijacked during a session and used to access a secure target site. As web authentication normally relies on cookies containing a pseudo-random session identifier, attributed to a browser at the beginning of a session, a hacker can perform actions normally restricted to the user if that browser is hijacked during the session

ING Direct was one of the first financial services sites found to be vulnerable. The researchers managed to transfer funds out of user accounts and create accounts on behalf of arbitrary users.

The researchers claimed to have discovered CSRF flaws in “nearly every action a user could perform on YouTube”, including sending arbitrary messages on the user’s behalf. Metafilter blog accounts could be subverted by the attacker changing the user’s email to that of the attacker.

The researchers claimed they had let the sites know about these vulnerabilities in September last year, but said the vulnerability on NYTimes.com had still not been fixed. That site’s flaw could allow hackers to find out the email addresses of the website’s users and spam them, the researchers warned. The New York Times had not responded to a request for comment at the time of writing.

Source : zdnet.co.uk

Similar Posts you might be interested in:

Be Sociable, Share!

categories Network Security | | October 1, 2008

categories

4 Responses to “Four Major Sites Vulnerable To CSRF !”

  1. w0lf says:
    October 1, 2008 at 3:17 pm

    There are still lot of web sites out there on Internet which are vulnerable to CSRF attack. Google mail, Cisco routers and many others were also vulnerable to CSRF.

  2. Ne0 says:
    October 1, 2008 at 3:24 pm

    Yes.. absolutely… These are the recent ones that came into light…

  3. w0lf says:
    October 3, 2008 at 12:47 am

    Hi Neo. Found this blog and detailed paper on this. Hope you find it useful.
    freedom-to-tinker

  4. Ne0 says:
    October 4, 2008 at 1:55 pm

    Hey w0lf ! This link is really helpful… Thanks ……

Leave a Reply