Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:35 AM
Connect Directly

CSRF Flaws Found on Major Websites

Princeton University researchers reveal four sites with cross-site request forgery flaws and unveil tools to protect against these attacks

Researchers from Princeton University today revealed their discovery of four major Websites susceptible to the silent-but-deadly cross-site request forgery (CSRF) attack -- including one on INGDirect.com’s site that would let an attacker transfer money out of a victim’s bank account.

ING, YouTube, and MetaFilter all have since fixed these vulnerabilities after being alerted to them by the researchers, but as of press time, the fourth, The New York Times, still harbored a CSRF flaw on its site that would let an attacker cull and abuse email addresses from online subscribers to the site.

Bill Zeller, a PhD candidate at Princeton, says the CSRF bug that he and fellow researcher Edward Felton found on INGDirect.com represents one of the first publicly disclosed CSRF flaws on a bank site. “It is the first example of a CSRF attack that allows money to be transferred out of a bank account that I'm aware of,” Zeller says.

The CSRF bug they found on ING’s site would have let an attacker move funds from the victim’s account to another account the attacker opened in the user’s name, unbeknownst to the user. Even using an SSL session wouldn’t protect the user from such an attack, the researchers say. “Since ING did not explicitly protect against CSRF attacks, transferring funds from a user’s account was as simple as mimicking the steps a user would take when transferring funds," according to a report written by Zeller and Felton.

In a CSRF attack, an attacker can force the user’s browser to request a page or action without the user knowing, or the Website recognizing the request didn’t come from the actual legitimate user. CSRF is little understood in the Web development community, and it is therefore a very common vulnerability on Websites. “CSRF is extremely pervasive. It’s basically wherever you look,” says Jeremiah Grossman, CTO of WhiteHat Security .

Aside from the ING flaw, the Princeton researchers also found CSRF vulnerabilities on YouTube that would let an attacker friend a user, add videos to the user's favorites list, and send messages on behalf of the user, for instance. The bug on the MetaFilter blogging site let an attacker set a user’s email address to the attacker’s, and then basically take over the victim’s account. While both YouTube and MetaFilter have fixed their CSRF bugs, The New York Times has not.

That vulnerability lets an attacker grab email addresses of users registered on the site and use them for spamming, or finding the email addresses of all users who visit an attacker’s site after they are lured there by a fake email. “This attack is particularly dangerous because of the large number of users who have NYTimes accounts and because the NYTimes keeps users logged in for over a year,” the researchers said in their report. They also found that the Times’s new social-networking site TimesPeople is also vulnerable to CSRF attacks.

“The severity of the attacks we found illustrates that developers are not as familiar as they should be with these types of attacks,” Zeller says.

Meanwhile, Zeller and Felton have also developed some tools to protect against CSRF attacks. They released a plugin tool for Firefox to protect the client, and a plugin tool for the Code Igniter PHP server framework to prevent attacks on these Websites. Zeller says the browser plugin is limited because it only protects against cross-site POST requests, not GET requests. “If we had blocked GET requests, many of the images on the Web wouldn't work,” he explains. “[The plugin] can protect users from vulnerabilities in sites that don't protect themselves.”

Princeton's discovery of CSRF bugs on big-name Websites is only the tip of the iceberg for CSRF. “We're starting to see more and more of these attacks, and I believe this will continue until developers become more educated about CSRF,” Zeller says. “An important difference between CSRF and XSS is that XSS requires a developer to create a hole -- a way for code to be injected to a site -- while CSRF attacks only require a developer to not fix a hole (which exists by default).”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • WhiteHat Security

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
    Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
    The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
    Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
    GitHub Named in Capital One Breach Lawsuit
    Dark Reading Staff 8/14/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-08-20
    The my-wp-translate plugin before 1.0.4 for WordPress has XSS.
    PUBLISHED: 2019-08-20
    The my-wp-translate plugin before 1.0.4 for WordPress has CSRF.
    PUBLISHED: 2019-08-20
    The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the IP address field.
    PUBLISHED: 2019-08-20
    The user-access-manager plugin before 1.2 for WordPress has CSRF.
    PUBLISHED: 2019-08-20
    The user-domain-whitelist plugin before 1.5 for WordPress has CSRF.