Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:35 AM
Connect Directly

CSRF Flaws Found on Major Websites

Princeton University researchers reveal four sites with cross-site request forgery flaws and unveil tools to protect against these attacks

Researchers from Princeton University today revealed their discovery of four major Websites susceptible to the silent-but-deadly cross-site request forgery (CSRF) attack -- including one on INGDirect.com’s site that would let an attacker transfer money out of a victim’s bank account.

ING, YouTube, and MetaFilter all have since fixed these vulnerabilities after being alerted to them by the researchers, but as of press time, the fourth, The New York Times, still harbored a CSRF flaw on its site that would let an attacker cull and abuse email addresses from online subscribers to the site.

Bill Zeller, a PhD candidate at Princeton, says the CSRF bug that he and fellow researcher Edward Felton found on INGDirect.com represents one of the first publicly disclosed CSRF flaws on a bank site. “It is the first example of a CSRF attack that allows money to be transferred out of a bank account that I'm aware of,” Zeller says.

The CSRF bug they found on ING’s site would have let an attacker move funds from the victim’s account to another account the attacker opened in the user’s name, unbeknownst to the user. Even using an SSL session wouldn’t protect the user from such an attack, the researchers say. “Since ING did not explicitly protect against CSRF attacks, transferring funds from a user’s account was as simple as mimicking the steps a user would take when transferring funds," according to a report written by Zeller and Felton.

In a CSRF attack, an attacker can force the user’s browser to request a page or action without the user knowing, or the Website recognizing the request didn’t come from the actual legitimate user. CSRF is little understood in the Web development community, and it is therefore a very common vulnerability on Websites. “CSRF is extremely pervasive. It’s basically wherever you look,” says Jeremiah Grossman, CTO of WhiteHat Security .

Aside from the ING flaw, the Princeton researchers also found CSRF vulnerabilities on YouTube that would let an attacker friend a user, add videos to the user's favorites list, and send messages on behalf of the user, for instance. The bug on the MetaFilter blogging site let an attacker set a user’s email address to the attacker’s, and then basically take over the victim’s account. While both YouTube and MetaFilter have fixed their CSRF bugs, The New York Times has not.

That vulnerability lets an attacker grab email addresses of users registered on the site and use them for spamming, or finding the email addresses of all users who visit an attacker’s site after they are lured there by a fake email. “This attack is particularly dangerous because of the large number of users who have NYTimes accounts and because the NYTimes keeps users logged in for over a year,” the researchers said in their report. They also found that the Times’s new social-networking site TimesPeople is also vulnerable to CSRF attacks.

“The severity of the attacks we found illustrates that developers are not as familiar as they should be with these types of attacks,” Zeller says.

Meanwhile, Zeller and Felton have also developed some tools to protect against CSRF attacks. They released a plugin tool for Firefox to protect the client, and a plugin tool for the Code Igniter PHP server framework to prevent attacks on these Websites. Zeller says the browser plugin is limited because it only protects against cross-site POST requests, not GET requests. “If we had blocked GET requests, many of the images on the Web wouldn't work,” he explains. “[The plugin] can protect users from vulnerabilities in sites that don't protect themselves.”

Princeton's discovery of CSRF bugs on big-name Websites is only the tip of the iceberg for CSRF. “We're starting to see more and more of these attacks, and I believe this will continue until developers become more educated about CSRF,” Zeller says. “An important difference between CSRF and XSS is that XSS requires a developer to create a hole -- a way for code to be injected to a site -- while CSRF attacks only require a developer to not fix a hole (which exists by default).”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • WhiteHat Security

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-05
    reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allows remote attackers to execute arbitrary code by uploading a .php file.
    PUBLISHED: 2019-12-05
    reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allows remote attackers to execute arbitrary code by uploading a .php file.
    PUBLISHED: 2019-12-05
    The chkstat tool in the permissions package followed symlinks before commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230 (please also check the additional hardenings after this fix). This allowed local attackers with control over a path that is traversed by chkstat to escalate privileges.
    PUBLISHED: 2019-12-05
    haskell-tls-extra before 0.6.1 has Basic Constraints attribute vulnerability may lead to Man in the Middle attacks on TLS connections
    PUBLISHED: 2019-12-05
    Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate c...