CSRF Flaws Found on Major Websites

Princeton University researchers reveal four sites with cross-site request forgery flaws and unveil tools to protect against these attacks

Researchers from Princeton University today revealed their discovery of four major Websites susceptible to the silent-but-deadly cross-site request forgery (CSRF) attack -- including one on INGDirect.com’s site that would let an attacker transfer money out of a victim’s bank account.

ING, YouTube, and MetaFilter all have since fixed these vulnerabilities after being alerted to them by the researchers, but as of press time, the fourth, The New York Times, still harbored a CSRF flaw on its site that would let an attacker cull and abuse email addresses from online subscribers to the site.

Bill Zeller, a PhD candidate at Princeton, says the CSRF bug that he and fellow researcher Edward Felton found on INGDirect.com represents one of the first publicly disclosed CSRF flaws on a bank site. “It is the first example of a CSRF attack that allows money to be transferred out of a bank account that I'm aware of,” Zeller says.

The CSRF bug they found on ING’s site would have let an attacker move funds from the victim’s account to another account the attacker opened in the user’s name, unbeknownst to the user. Even using an SSL session wouldn’t protect the user from such an attack, the researchers say. “Since ING did not explicitly protect against CSRF attacks, transferring funds from a user’s account was as simple as mimicking the steps a user would take when transferring funds," according to a report written by Zeller and Felton.

In a CSRF attack, an attacker can force the user’s browser to request a page or action without the user knowing, or the Website recognizing the request didn’t come from the actual legitimate user. CSRF is little understood in the Web development community, and it is therefore a very common vulnerability on Websites. “CSRF is extremely pervasive. It’s basically wherever you look,” says Jeremiah Grossman, CTO of WhiteHat Security .

Aside from the ING flaw, the Princeton researchers also found CSRF vulnerabilities on YouTube that would let an attacker friend a user, add videos to the user's favorites list, and send messages on behalf of the user, for instance. The bug on the MetaFilter blogging site let an attacker set a user’s email address to the attacker’s, and then basically take over the victim’s account. While both YouTube and MetaFilter have fixed their CSRF bugs, The New York Times has not.

That vulnerability lets an attacker grab email addresses of users registered on the site and use them for spamming, or finding the email addresses of all users who visit an attacker’s site after they are lured there by a fake email. “This attack is particularly dangerous because of the large number of users who have NYTimes accounts and because the NYTimes keeps users logged in for over a year,” the researchers said in their report. They also found that the Times’s new social-networking site TimesPeople is also vulnerable to CSRF attacks.

“The severity of the attacks we found illustrates that developers are not as familiar as they should be with these types of attacks,” Zeller says.

Meanwhile, Zeller and Felton have also developed some tools to protect against CSRF attacks. They released a plugin tool for Firefox to protect the client, and a plugin tool for the Code Igniter PHP server framework to prevent attacks on these Websites. Zeller says the browser plugin is limited because it only protects against cross-site POST requests, not GET requests. “If we had blocked GET requests, many of the images on the Web wouldn't work,” he explains. “[The plugin] can protect users from vulnerabilities in sites that don't protect themselves.”

Princeton's discovery of CSRF bugs on big-name Websites is only the tip of the iceberg for CSRF. “We're starting to see more and more of these attacks, and I believe this will continue until developers become more educated about CSRF,” Zeller says. “An important difference between CSRF and XSS is that XSS requires a developer to create a hole -- a way for code to be injected to a site -- while CSRF attacks only require a developer to not fix a hole (which exists by default).”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights