Researchers from Princeton University Publish vulnerabilities in unpatched sites
Yesterday a couple of 'researchers' published that a couple of major sites were vulnerable to CSRF. A general rule of thumb is that unless you are explicitly protecting against CSRF, or are accidentally protected, then you're vulnerable. CSRF in 2008 is what XSS was in 2002, somewhat understood and rarely protected against properly. Generally I hate it when the media/industry people sensationalize a known issue, however feel that letting people know that this issue is common is important (even though there is no new research/data published) hence the post.
From the article
"ING, YouTube, and MetaFilter all have since fixed these vulnerabilities after being alerted to them by the researchers, but as of press time, the fourth, The New York Times, still harbored a CSRF flaw on its site that would let an attacker cull and abuse email addresses from online subscribers to the site. "
Darkreading article: http://www.darkreading.com/document.asp?doc_id=164854&WT.svl=news1_1
CSRF FAQ: http://www.cgisecurity.com/articles/csrf-faq.shtml
Comments
You can follow this conversation by subscribing to the comment feed for this post.
All Comments are Moderated and will be delayed!
Post a comment