Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
 
Latest Comments
"lol"
on Internet filtering ineffective in fight against terror
by Tina | Jul 5, 2009 12:04 AM
 
"Good! Its very good blog the for the people who are having debit collection and credit report ..."
on Fake Microsoft anti-spyware site stealing credit card info
by identity theft lawyers | Jul 4, 2009 6:55 PM
 
"nothing"
on Ads on Facebook serving up adware
by UMAIR | Jul 4, 2009 5:54 PM
 
"Thank you "
on Search engine promises completely private surfing
by Dr. Holub | Jul 4, 2009 11:17 AM
 
"Agree that wireless hotspots are an easy way for hackers to gather information from connected ..."
on New devices make hotspots a hacker's paradise
by Patrick Hooper | Jul 3, 2009 4:06 AM
Web

YouTube vulnerable in new forgery flaws

  • Email a Friend
  • Print Page
YouTube vulnerable in new forgery flaws
Related Articles
By Emma Hughes
Oct 1, 2008 10:46 AM | 1 Comment
Tags: Forgery | flaws | exposed | Princeton | University
Silent but deadly attacks on four major sites have been revealed by researchers Ed Felten and Bill Zeller at Princeton University.
Silent but deadly attacks on four major sites have been revealed by researchers Ed Felten and Bill Zeller at Princeton University.

These attacks are known as cross site request forgery (CSRF) and have been known to allow an attacker to transfer money out of a victim’s bank account.

The researchers found four sites vulnerable to these attacks: ING, Youtube, MetfFilter and The New York Times, the latter being the only one still harbouring the CSRF flaw which allows email and address details to be accessed.

ING's vulberability was most worrisome as an attacker could transfer money from a customer's account into another account which the attacker opened in the victim's name. ING didn’t protect its site from these kinds of attacks and they can go completely unnoticed.

Youtube was found to have the flaw in the sense that an attacker could send messages acting on behalf of another user, which could potentially be offensive, Metafilter’s flaw allowed an attacker to take over a victim's account.

Both Youtube and MetaFilter have rectified this problem since being alerted to it by the Princeton researchers, The New York Times however, has not.

Zeller explains that, "The severity of the attacks we found illustrates that developers are not as familiar as they should be with these types of attacks"

The research has not only highlighted the problem, but has also come up with a deterrent – a plugin for Firefox to protect the client and the Code Igniter PHP server framework has been released, however this is limited as it only protects the users from cross-site POST requests.

Although these examples are a good start, this is only the tip of a very large iceberg – the problem won’t be resolved until people are more educated about CSRF attacks. µ

L'Inq

Freedom to Tinker

theinquirer.net (c) 2009 Incisive Media

 
Ads by Google
Thoughts on this article? Add a comment below.
Comments: 1
CodeIgniter's core has some (rather crude and restrictive) XSS thwarting functionality BUT DOES NOT have CSRF thwarting capabilities. A Plugin for CodeIgniter to thwart CSRF has been released recently, however, info at: http://codeigniter.com/forums/viewthread/92399/
SC Magazine - comments icon Posted by coderOct 2, 2008 5:23 PM
Report this comment as offensive:

   * Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.  
Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
Exclusive Data Centre - Sponsored Content by Microsoft
 
Vulnerabilities & Exploits Whitepapers
 
Popular Tags
apple aviv browser bug bugs chrome fixes flaws google iphone july month patch patches quicktime raff security social update upgrade