Printed from www.pcpro.co.uk
Security flaw revealed on banking site
Posted on 30 Sep 2008 at 10:50
Researchers have unveiled similar security threats within four extremely popular websites, one of which allows attackers to transfer funds from a user's bank account without their permission.
The team from Princeton University identified cross-site request forgery (CSRF) vulnerabilities on YouTube, MetaFilter, the New York Times and ING's website, highlighting the extent of the problem.
Researchers say that despite giving "ample time" to administrators to correct the issues prior to the publication of details, the New York Times is yet to fix the flaw. The three remaining sites have since closed the security holes.
The fact that such flaws existed in well-established and well-funded sites highlights the extent of the CSRF problem, claim the researchers.
"We discovered CSRF vulnerabilities in ING's site that allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user's account to the attacker's account," explains the paper published by the team.
"Since ING did not explicitly protect against CSRF attacks, transferring funds from a user's accounts was as simple as mimicking the steps a user would take when transferring funds."
On the New York Times site the attack allows the discovery of arbitrary users' email addresses, potentially leaving them open to spam. On MetaFilter attackers could use CSRF to take control of a user's page via the lost password feature.
YouTube was shown to be vulnerable to scripting attacks in "nearly every action a user can perform".
The group has developed two tools to protect against CSRF attacks; one of which takes the form of a plugin for Firefox aimed at users, the other a server plugin for website administrators.
"We have created two tools that can protect a large number of users from CSRF attacks. The first is a server-side tool which can completely protect a potential target site from CSRF attacks. The second is a client-side tool which can protect users from certain types of CSRF attacks."
Author: Matthew Sparkes
advertisement
- Motorola pays Lucas for its Droid
- Where are the killer apps for Windows?
- Will you hit the Orange iPhone "unlimited" cap?
- USB 3 first benchmark - it's here, and it's fast
- Why Windows 7 has forced me to worry about security
- How Dixons is (under)selling Windows 7
- Do I like Windows 7 because it's so like a Mac?
- No Windows 7 drivers turn Dell M1330 into a doorstop
- Is Windows 7 good looking enough to sway an Apple fan?
- Typekit brings print-like typography to the web
- Avira Premium Security Suite 9
- ZoneAlarm Internet Security Suite
- Webroot Internet Security Essentials
- Trend Micro Internet Security
- PC Tools Internet Security 2009
- Panda Internet Security 2009
- Norton Internet Security 2009
- Kaspersky Internet Security 2009
- F-Secure Internet Security 2009
- Eset Smart Security
- BitDefender Total Security 2009
advertisement
