Researchers from Princeton University today revealed their discovery of four major Websites susceptible to the silent-but-deadly cross-site request forgery (CSRF) attack -- including one on INGDirect.coms site that would let an attacker transfer money out of a victims bank account.
ING, YouTube, and MetaFilter all have since fixed these vulnerabilities after being alerted to them by the researchers, but as of press time, the fourth, The New York Times, still harbored a CSRF flaw on its site that would let an attacker cull and abuse email addresses from online subscribers to the site.
Bill Zeller, a PhD candidate at Princeton, says the CSRF bug that he and fellow researcher Edward Felton found on INGDirect.com represents one of the first publicly disclosed CSRF flaws on a bank site. It is the first example of a CSRF attack that allows money to be transferred out of a bank account that I'm aware of, Zeller says.
The CSRF bug they found on INGs site would have let an attacker move funds from the victims account to another account the attacker opened in the users name, unbeknownst to the user. Even using an SSL session wouldnt protect the user from such an attack, the researchers say. Since ING did not explicitly protect against CSRF attacks, transferring funds from a users account was as simple as mimicking the steps a user would take when transferring funds," according to a report written by Zeller and Felton.
In a CSRF attack, an attacker can force the users browser to request a page or action without the user knowing, or the Website recognizing the request didnt come from the actual legitimate user. CSRF is little understood in the Web development community, and it is therefore a very common vulnerability on Websites. CSRF is extremely pervasive. Its basically wherever you look, says Jeremiah Grossman, CTO of WhiteHat Security .
Aside from the ING flaw, the Princeton researchers also found CSRF vulnerabilities on YouTube that would let an attacker friend a user, add videos to the user's favorites list, and send messages on behalf of the user, for instance. The bug on the MetaFilter blogging site let an attacker set a users email address to the attackers, and then basically take over the victims account. While both YouTube and MetaFilter have fixed their CSRF bugs, The New York Times has not.
That vulnerability lets an attacker grab email addresses of users registered on the site and use them for spamming, or finding the email addresses of all users who visit an attackers site after they are lured there by a fake email. This attack is particularly dangerous because of the large number of users who have NYTimes accounts and because the NYTimes keeps users logged in for over a year, the researchers said in their report. They also found that the Timess new social-networking site TimesPeople is also vulnerable to CSRF attacks.
The severity of the attacks we found illustrates that developers are not as familiar as they should be with these types of attacks, Zeller says.
Meanwhile, Zeller and Felton have also developed some tools to protect against CSRF attacks. They released a plugin tool for Firefox to protect the client, and a plugin tool for the Code Igniter PHP server framework to prevent attacks on these Websites. Zeller says the browser plugin is limited because it only protects against cross-site POST requests, not GET requests. If we had blocked GET requests, many of the images on the Web wouldn't work, he explains. [The plugin] can protect users from vulnerabilities in sites that don't protect themselves.
Princeton's discovery of CSRF bugs on big-name Websites is only the tip of the iceberg for CSRF. We're starting to see more and more of these attacks, and I believe this will continue until developers become more educated about CSRF, Zeller says. An important difference between CSRF and XSS is that XSS requires a developer to create a hole -- a way for code to be injected to a site -- while CSRF attacks only require a developer to not fix a hole (which exists by default).
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.