Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:35 AM
Connect Directly

CSRF Flaws Found on Major Websites

Princeton University researchers reveal four sites with cross-site request forgery flaws and unveil tools to protect against these attacks

Researchers from Princeton University today revealed their discovery of four major Websites susceptible to the silent-but-deadly cross-site request forgery (CSRF) attack -- including one on INGDirect.com’s site that would let an attacker transfer money out of a victim’s bank account.

ING, YouTube, and MetaFilter all have since fixed these vulnerabilities after being alerted to them by the researchers, but as of press time, the fourth, The New York Times, still harbored a CSRF flaw on its site that would let an attacker cull and abuse email addresses from online subscribers to the site.

Bill Zeller, a PhD candidate at Princeton, says the CSRF bug that he and fellow researcher Edward Felton found on INGDirect.com represents one of the first publicly disclosed CSRF flaws on a bank site. “It is the first example of a CSRF attack that allows money to be transferred out of a bank account that I'm aware of,” Zeller says.

The CSRF bug they found on ING’s site would have let an attacker move funds from the victim’s account to another account the attacker opened in the user’s name, unbeknownst to the user. Even using an SSL session wouldn’t protect the user from such an attack, the researchers say. “Since ING did not explicitly protect against CSRF attacks, transferring funds from a user’s account was as simple as mimicking the steps a user would take when transferring funds," according to a report written by Zeller and Felton.

In a CSRF attack, an attacker can force the user’s browser to request a page or action without the user knowing, or the Website recognizing the request didn’t come from the actual legitimate user. CSRF is little understood in the Web development community, and it is therefore a very common vulnerability on Websites. “CSRF is extremely pervasive. It’s basically wherever you look,” says Jeremiah Grossman, CTO of WhiteHat Security .

Aside from the ING flaw, the Princeton researchers also found CSRF vulnerabilities on YouTube that would let an attacker friend a user, add videos to the user's favorites list, and send messages on behalf of the user, for instance. The bug on the MetaFilter blogging site let an attacker set a user’s email address to the attacker’s, and then basically take over the victim’s account. While both YouTube and MetaFilter have fixed their CSRF bugs, The New York Times has not.

That vulnerability lets an attacker grab email addresses of users registered on the site and use them for spamming, or finding the email addresses of all users who visit an attacker’s site after they are lured there by a fake email. “This attack is particularly dangerous because of the large number of users who have NYTimes accounts and because the NYTimes keeps users logged in for over a year,” the researchers said in their report. They also found that the Times’s new social-networking site TimesPeople is also vulnerable to CSRF attacks.

“The severity of the attacks we found illustrates that developers are not as familiar as they should be with these types of attacks,” Zeller says.

Meanwhile, Zeller and Felton have also developed some tools to protect against CSRF attacks. They released a plugin tool for Firefox to protect the client, and a plugin tool for the Code Igniter PHP server framework to prevent attacks on these Websites. Zeller says the browser plugin is limited because it only protects against cross-site POST requests, not GET requests. “If we had blocked GET requests, many of the images on the Web wouldn't work,” he explains. “[The plugin] can protect users from vulnerabilities in sites that don't protect themselves.”

Princeton's discovery of CSRF bugs on big-name Websites is only the tip of the iceberg for CSRF. “We're starting to see more and more of these attacks, and I believe this will continue until developers become more educated about CSRF,” Zeller says. “An important difference between CSRF and XSS is that XSS requires a developer to create a hole -- a way for code to be injected to a site -- while CSRF attacks only require a developer to not fix a hole (which exists by default).”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • WhiteHat Security

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/10/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    Researcher Finds New Office Macro Attacks for MacOS
    Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-08-10
    For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
    PUBLISHED: 2020-08-10
    An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerabilit...
    PUBLISHED: 2020-08-10
    An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
    PUBLISHED: 2020-08-10
    A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.
    PUBLISHED: 2020-08-10
    A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.