[ISN] Nasty web bug descends on world's most popular sites
InfoSec News
alerts at infosecnews.org
Tue Sep 30 03:17:38 CDT 2008
http://www.theregister.co.uk/2008/09/30/web_bug_bites_sites/
By Dan Goodin in San Francisco
The Register
30th September 2008
Underscoring the severity of of an exotic form of website bug, security
researchers from Princeton University have cataloged four cross-site
request forgeries in some of the world's most popular sites.
The most serious vulnerability by far was in the website of global
financial services company ING Direct. The flaw could have allowed an
attacker to transfer funds out of a user's account, or to create
additional accounts of behalf of a victim, according to this post [1]
from Freedom to Tinker blogger Bill Zeller.
The vulnerabilities were confirmed for users of Firefox and Internet
Explorer browsers, and ING's use of the secure sockets layer protocol
did nothing to prevent the attack. ING plugged the hole after Zeller and
colleague Ed Felton reported it privately.
Cross-site request forgery (CSFR) vulnerabilities occur when a website
carries out an action without first confirming it was requested by the
authenticated user. Miscreants can exploit this shortcoming by including
code on an attack site that causes the user's browser to send commands
to a site such as ING.com. ING.com then carries out the command under
the mistaken notion that because it was requested by the browser, it was
invoked by the user.
[1] http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks
[...]
More information about the ISN
mailing list