« Council Sells Security Hole On Ebay
Another Way the LHC Could Self-Destruct »

CSRF Flaws Found On Major Websites, Including a Bank

An anonymous reader sends a link to DarkReading on the recent announcement by Princeton researchers of four major Web sites on which they found exploitable cross-site request forgery vulnerabilities. The sites are the NYTimes, YouTube, Metafilter, and INGDirect. All but the NYTimes site have patched the hole. “…four major Websites susceptible to the silent-but-deadly cross-site request forgery attack — including one on INGDirect.com’s site that would let an attacker transfer money out of a victim’s bank account… Bill Zeller, a PhD candidate at Princeton, says the CSRF bug that he and fellow researcher Edward Felton found on INGDirect.com represents… ‘the first example of a CSRF attack that allows money to be transferred out of a bank account that [we’re] aware of.’… CSRF is little understood in the Web development community, and it is therefore a very common vulnerability on Websites. ‘It’s basically wherever you look,’ says [a security researcher].” Here are Zeller’s Freedom to Tinker post and the research paper (PDF).

Read more of this story at Slashdot.

More: continued here

This entry was posted on Tuesday, September 30th, 2008 at 6:09 am and is filed under News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Your Ad Here

Leave a Reply