CSRF Flaws Found On Major Websites, Including a Bank

An anonymous reader sends a link to DarkReading on the recent announcement by Princeton researchers of four major Web sites on which they found exploitable cross-site request forgery vulnerabilities. The sites are the NYTimes, YouTube, Metafilter, and INGDirect. All but the NYTimes site have patched the hole. "... four major Websites susceptible to the silent-but-deadly cross-site request forgery attack — including one on INGDirect.com's site that would let an attacker transfer money out of a victim's bank account ... Bill Zeller, a PhD candidate at Princeton, says the CSRF bug that he and fellow researcher Edward Felton found on INGDirect.com represents ... 'the first example of a CSRF attack that allows money to be transferred out of a bank account that [we're] aware of.' ... CSRF is little understood in the Web development community, and it is therefore a very common vulnerability on Websites. 'It's basically wherever you look,' says [a security researcher]." Here are Zeller's Freedom to Tinker post and the research paper (PDF).

Heh

[FlyByPC]

"...four major Websites susceptible to the silent-but-deadly cross-site request forgery attack..."

I knew something smelled funny...

Re:Very easy

[nacturation]

Ruby On Rails has prevented this, by default, for almost a year...

Nice boast, but I'll see your Ruby on Rails for almost a year and raise you a .NET viewstate for five and a half years. Go Microsoft!

irony

[The+Clockwork+Troll]

The unexpected conclusion of Zeller and Felton's paper is that the worldwide banking collapse is actually a protective measure against malware. With assets illiquid, even CSRF attacks can't move money!