ZDNetAsia : Printer Friendly - Four top sites vulnerable to attack, warn researchers

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Asia.
--------------------------------------------------------------

Four top sites vulnerable to attack, warn researchers

By Tom Espiner
Wednesday, October 01 2008 09:03 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,62046706,00.htm

update Four leading Web sites were or are vulnerable to attack through an underrated vulnerability, according to Princeton University researchers.

While ING Direct, YouTube and Metafilter have taken action to address the cross-site-request-forgery (CSRF) vulnerabilities, the fourth site, belonging to The New York Times, has not been fixed, the researchers claimed in a blog post.

CSRF flaws can be exploited so a user's browser is hijacked during a session and used to access a secure target site. As Web authentication normally relies on cookies containing a pseudo-random session identifier, attributed to a browser at the beginning of a session, a hacker can perform actions normally restricted to the user if that browser is hijacked during the session.

In the case of ING Direct, which the Princeton researchers said was one of the first financial services sites they had found to be vulnerable, the researchers managed to transfer funds out of user accounts and create accounts on behalf of arbitrary users.

The researchers claimed to have discovered CSRF flaws in "nearly every action a user could perform on YouTube", including sending arbitrary messages on the user's behalf. Metafilter blog accounts could be subverted by the attacker changing the user's e-mail to that of the attacker.

The researchers claimed they had let the sites know about these vulnerabilities in September last year, but said the vulnerability on NYTimes.com had still not been fixed. That site's flaw could allow hackers to find out the e-mail addresses of the Web site's users and spam them, the researchers warned.

A New York Times spokeswoman said, however, the security hole now has been rectified.

"We take the security of our site and our users very seriously and act quickly to address any vulnerabilities," she said in a statement to ZDNet Asia's sister site CNET News.com. "The issues outlined in the report have been resolved. We were notified last year by Ed Felten about 'E-mail This' and fixed the problem he outlined then within days. On Tuesday, we were alerted to a more complicated variant of the same problem [in their blog post] and we closed that security hole immediately."

The Princeton researchers warned in a research paper that CSRF vulnerabilities were the "sleeping giant" of Web flaws, and said many sites were open to attack through these flaws. The researchers suggested a number of ways to prevent CSRF. These included Web developers coding to allow GET requests to only retrieve data, and not modify any data on the server.

Elinor Mills of CNET News.com contributed to this article.