Slashdot Mirror

← Back to Stories (view on slashdot.org)

CSRF Flaws Found On Major Websites, Including a Bank

Posted by kdawson on from the wherever-you-look dept.

An anonymous reader sends a link to DarkReading on the recent announcement by Princeton researchers of four major Web sites on which they found exploitable cross-site request forgery vulnerabilities. The sites are the NYTimes, YouTube, Metafilter, and INGDirect. All but the NYTimes site have patched the hole. "... four major Websites susceptible to the silent-but-deadly cross-site request forgery attack — including one on INGDirect.com's site that would let an attacker transfer money out of a victim's bank account ... Bill Zeller, a PhD candidate at Princeton, says the CSRF bug that he and fellow researcher Edward Felton found on INGDirect.com represents ... 'the first example of a CSRF attack that allows money to be transferred out of a bank account that [we're] aware of.' ... CSRF is little understood in the Web development community, and it is therefore a very common vulnerability on Websites. 'It's basically wherever you look,' says [a security researcher]." Here are Zeller's Freedom to Tinker post and the research paper (PDF).

6 of 143 comments (clear)

  1. they're fuckin ya by Anonymous Coward · · Score: -1, Offtopic

    their big dicks ramming up your faggot linsux ass. keep getting the ass rape bitches. maybe you'll get the aids and die.

  2. Any /. link that shoves an ad in my face... by Jane+Q.+Public · · Score: -1, Offtopic

    ... as blatant as that one deserves boycott.

    Shame. Embarrassment. Negative Karma points.

  3. McCain/Palin '08. Wow! Hope they change! by Jane+Q.+Public · · Score: -1, Offtopic

    No need to say more.

    1. Re:McCain/Palin '08. Wow! Hope they change! by Anonymous Coward · · Score: -1, Offtopic

      What do you tell a woman with 2 black eyes? Nothing she hasn't heard twice already. Get back in the kitchen and make me some pie now, bitch.

  4. How can this be "offtopic", when... by Jane+Q.+Public · · Score: -1, Offtopic

    it is a reply to someone else's comment in the same thread?

    If so, you should mark peoples' taglines, with few exceptions, as being "off-topic". Since they usually have little relevance to the subject at hand.

    Really. Excuse me. How can you judge a reply to a tagline as being "off=topic"? Any more than the tagline itself? (In honesty, if people wanted their taglines to be taken seriously, they would change them periodically anyway.)

    If you want to mark something off-topic, start with the taglines. The alternative is to not be able to reply to taglines at all, which is what you tried to do to me. If the tagline is off-topic, then the reply to it is likely to be also; it is wrong to blame the responder.

  5. NOT "flamebait". Criticism. by Jane+Q.+Public · · Score: 0, Offtopic

    There is a difference, after all. Do you feel that you are qualified to be a censor??