Advertisement
Promo

Security threats Toolkit

Four top sites vulnerable to attack, warn researchers

Tom Espiner ZDNet.co.uk

Published: 30 Sep 2008 14:17 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Four leading websites were or are vulnerable to attack through an underrated vulnerability, according to Princeton University researchers.

While ING Direct, YouTube and Metafilter have taken action to address the cross-site-request-forgery (CSRF) vulnerabilities, the fourth site, belonging to The New York Times, has not been fixed, the researchers claimed in a blog post.

CSRF flaws can be exploited so a user's browser is hijacked during a session and used to access a secure target site. As web authentication normally relies on cookies containing a pseudo-random session identifier, attributed to a browser at the beginning of a session, a hacker can perform actions normally restricted to the user if that browser is hijacked during the session.

In the case of ING Direct, which the Princeton researchers said was one of the first financial services sites they had found to be vulnerable, the researchers managed to transfer funds out of user accounts and create accounts on behalf of arbitrary users.

Read this

Comment
Comment: The man who transformed internet security

When security researcher Dan Kaminsky discovered a potentially disastrous flaw within the Domain Name System, his measured response led to the biggest-ever multiparty patch release

Read more +

The researchers claimed to have discovered CSRF flaws in "nearly every action a user could perform on YouTube", including sending arbitrary messages on the user's behalf. Metafilter blog accounts could be subverted by the attacker changing the user's email to that of the attacker.

The researchers claimed they had let the sites know about these vulnerabilities in September last year, but said the vulnerability on NYTimes.com had still not been fixed. That site's flaw could allow hackers to find out the email addresses of the website's users and spam them, the researchers warned. The New York Times had not responded to a request for comment at the time of writing.

The Princeton researchers warned in a research paper that CSRF vulnerabilities were the "sleeping giant" of web flaws, and said many sites were open to attack through these flaws. The researchers suggested a number of ways to prevent CSRF. These included web developers coding to allow GET requests to only retrieve data, and not modify any data on the server.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
2 out of 2 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:








Related Jobs

Microsoft Exchange Administrator - Croydon - to 45k

Penetration Testing Consultant - 2043

QSA - Qualified Security Assessor

Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

DNA details of innocent will be kept f...

The government has announced that it plans to keep innocent people's DNA details for up to six years. In response to a consultation it launched last December, the government said... More

5 comments

Motorola Droid Drops Today: Happy Droi...

Motorola Droid Drops Today: Happy Droid Day America! Author: Eric Everson, Mobile Security Expert If you’re wondering what all of the buzz is about with words like Droid and Android... More

Post a comment

Mobile Security Profile: BlackBerry St...

Mobile Security Profile: BlackBerry Storm2 Author: Eric Everson BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data,... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters