Tossing My Cookies

Every once in a while, a vulnerability scares the heck out of even the most jaded security pros

6:00 PM -- I'm a little more careful with my cookies now.

If you work in this industry, you have to keep your emotional distance from the latest and greatest threats, or otherwise you could end up locked away in a room with your stand-alone PC and no Internet access or wireless card. At the extreme, this professional distance take the form of denial, like "the latest Microsoft patches don't apply to me" or "no need to worry about that exploit because I have antivirus."

But there's something unnerving about Cross-Site Request Forgery (CSRF). (See CSRF Vulnerability: A 'Sleeping Giant'.)

CSRF vulnerability is present in most every Website. That's red flag number one. And red flag number two is that it's tough to detect and correct. A CSRF attack occurs when you visit a Web page controlled by an attacker and it forces the browser -- using your legitimate, authenticated cookies -- to make malicious requests, on your behalf. So an attacker could wipe out my bank account before I could balance my checkbook.

So this time around, I sent Dark Reading’s Web group a heads-up link to my CSRF story, "just in case," having been burnt before. You may recall the last time I wrote a story about a bigtime Web threat -- Cross-Site Scripting (XSS) -- our Website was exposed for having the very same XSS vulnerability as in our article.

Oh, I know CSRF isn't as widespread as XSS. But I'm still keeping my fingers crossed that nobody stirs that sleeping giant. And in the meantime, I'm heeding the advice of security researchers and purging my cookies. Wanna join me?

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Editors' Choice
Elizabeth Montalbano, Contributor, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading