Popular websites fall victim to CSRF exploits

Updated Wednesday, Oct. 1 at 10:02 a.m. EST

A pair of Princeton University researchers announced Monday that they have discovered cross-site request forgery (CSRF) vulnerabilities on four popular websites — ING Direct, YouTube, MetaFilter and The New York Times.
The two researchers – Edward Felten, a computer science professor, and graduate student Bill Zeller – explain in a report, “Cross-Site Request Forgeries: Exploitation and Prevention," that attacks occur when a malicious website causes a logged-in user's web browser to perform an unwanted action on a trusted site.

Essentially, these attacks exploit the trust a website has for a user, unlike cross-site scripting attacks, which take advantage of the trust a user has for a particular site.

Researchers found CSRF vulnerabilities on The New York Times website which made user email addresses available to an attacker. On ING Direct's website, attackers could open up bank accounts on behalf of a user and transfer funds into their own account.

On MetaFilter's website, an attacker could take control of a user's account using the “lost password” feature. On YouTube, the researchers found multiple vulnerabilities, including an attacker being able to access private videos and impact the popularity of videos.
Three of the vulnerabilities, discovered more than a year ago, have been fixed, the report states. The New York Times has not corrected the problem, the researchers said.

However, New York Times Co. spokeswoman Stacy Green told Wednesday morning that the vulnerability has been corrected.

CSRF vulnerabilities are simple to fix, but, “exist because web developers are uneducated about the cause and seriousness of CSRF attacks,” the report states.
The danger with this sort of attack is that anything that can be done with a web application can potentially be done by a third party, Tom Cross, X-Force researcher with IBM Internet Security Systems, told on Tuesday.

This includes attackers being able to transfer money out of bank accounts and trade stocks in online trading accounts — two of the worst threats associated with CSRF, he said. Attackers who use this method could also potentially obtain email addresses of users, post blog entries or message board comments as a person.
“It's fairly easy for someone who understands how the web works to build an attack like this," Cross said. "If you can build an HTML page you can build an attack against a site."

Zeller, a Princeton Ph.D. student, said CSRF vulnerabilities are among the most common flaws impacting websites.

"Any website that allows authenticated users to perform an action and doesn't specifically protect against CSRF attacks can be susceptible," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.