CSRF Flaws Found On Major Websites, Including a Bank

Slashbook reports on a recent announcement by Princeton researchers about four major Web sites on which they found exploitable cross-site request forgery (CSRF) vulnerabilities. The sites are NYTimes, YouTube, Metafilter and INGDirect.

YouTube, Metafilter and INGDirect have since patched the vulnerabilities after having been alerted to them, but the NYTimes has yet to fix theirs.

In a CSRF attack, the attacker can force a user's browser to request a page or an action without the user knowing. CSRF is not well understood in the Web development community, making it a common vulnerability on websites.

“CSRF is extremely pervasive. It’s basically wherever you look,” says Jeremiah Grossman, CTO of WhiteHat Security.

Princeton's discovery of CSRF bugs on well-known websites is only the tip of the iceburg.

“We're starting to see more and more of these attacks, and I believe this will continue until developers become more educated about CSRF" says Bill Zeller, a PhD candidate at Princeton.

See darkREADING for more information.