Security flaw revealed on banking site
By Matthew Sparkes
Posted on 30 Sep 2008 at 10:50
Researchers have unveiled similar security threats within four extremely popular websites, one of which allows attackers to transfer funds from a user's bank account without their permission.
The team from Princeton University identified cross-site request forgery (CSRF) vulnerabilities on YouTube, MetaFilter, the New York Times and ING's website, highlighting the extent of the problem.
Researchers say that despite giving "ample time" to administrators to correct the issues prior to the publication of details, the New York Times is yet to fix the flaw. The three remaining sites have since closed the security holes.
The fact that such flaws existed in well-established and well-funded sites highlights the extent of the CSRF problem, claim the researchers.
"We discovered CSRF vulnerabilities in ING's site that allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user's account to the attacker's account," explains the paper published by the team.
"Since ING did not explicitly protect against CSRF attacks, transferring funds from a user's accounts was as simple as mimicking the steps a user would take when transferring funds."
On the New York Times site the attack allows the discovery of arbitrary users' email addresses, potentially leaving them open to spam. On MetaFilter attackers could use CSRF to take control of a user's page via the lost password feature.
YouTube was shown to be vulnerable to scripting attacks in "nearly every action a user can perform".
The group has developed two tools to protect against CSRF attacks; one of which takes the form of a plugin for Firefox aimed at users, the other a server plugin for website administrators.
"We have created two tools that can protect a large number of users from CSRF attacks. The first is a server-side tool which can completely protect a potential target site from CSRF attacks. The second is a client-side tool which can protect users from certain types of CSRF attacks."
From around the web
advertisement
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Can you send a truly anonymous email?
- Is it safe to send bank details over email?
- Sainsbury's Bank bans password storage
- MobileMe triggers credit card blocks
- How to stay safe against session hijacking
advertisement
Printed from www.pcpro.co.uk