Scripting Attacks Plague Even the Web’s Largest Sites
Two security researchers have released details on some very scary Cross-Site Request Forgery (CSRF) attacks that affect some of the largest sites on the web. The sites detailed in the report from security experts Ed Felten and Bill Zeller are ING Direct, YouTube, MetaFilter and the New York Times. The most disturbing is the ING Direct attack, which allowed attackers to transfer funds out of your bank account.
It used to be that most online threats could be avoided by the technically savvy — those of us not fooled by phishing e-mails and fake websites. But that isn’t true anymore, CSRF attacks are nearly transparent to the user and can come from sites you’d normally be inclined to trust. To perform a CSRF attack, the attacker places a bit of code in a web page (usually a chat board or forum) that initiates an action at a different website where you’re already authenticated. So, if you have a local cookie stored that automatically logs you into your banking website, for example, the attacker can effectively pose as you and request fund transfers without you ever knowing about it, or even clicking on anything.
The details in the report make it clear that CSRF attacks are no longer something confined to the dark corners of the internet, but could in fact be lurking on nearly any page.
Fortunately, Felten and Zeller reported all the vulnerabilities to site administrators and the holes have been patched. Well, except for the New York Times flaw, which was reported over a year ago and still hasn’t been fixed. Apparently the Gray Lady moves rather slowly when it comes to security.In the case of the Times site, the attack is primarily useful for gather e-mail address; Felten and Zeller write:
An attacker can forge a request to active the “Email This” feature while setting his email address as the recipient. When a user visit’s the attacker’s page, an email will be sent to the attacker’s email address containing the user’s email address. This attack can be used for identification (e.g., finding the email addresses of all users who visit an attacker’s site) or for spam. This attack is particularly dangerous because of the large number of users who have NYTimes’ accounts and because the NYTimes keeps users logged in for over a year.
Perhaps the most interesting note in the post is the takeaway where Felton and Zeller write, “if you’re in charge of a website and haven’t specifically protected against CSRF, chances are you’re vulnerable.”
In other words, unless you’re taking active steps to secure your site against CSRF attacks, your users have no reason to trust you.
If you’re worried about CSRF attacks on your favorite sites, one of the best ways to avoid them is to use the Firefox browser with the No Script add-on, which prevents such scripts from ever loading. Also, always choose the Log Out option when you leave a website. Furthermore, if you’re a site owner who uses persistent cookies on your website, your users are at risk. We’d recommend you start by reading the full report and the CSRF Wikipedia page, which goes into greater detail.
[via Simon Willison]
See Also:
