[ga] CSRF Flaws Found On Major Websites, Including a Bank

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

All,

  As an FYI and FWIW, everyone that does online banking or
other financial activities online should have the ability to
do CSRF scans independent to any service that you may
be using that purports to do so for you.  I have found that
occasionally Mcafee misses CSRF vulnerable web sites.

  CSRF is by no means a new security vulnerability to any
user, it's been around for years but largely ignored and
not widely discussed or known, but it can be very harmful.

Other reliable links regarding CSRF not mentioned in the below
article:
http://www.cgisecurity.com/articles/csrf-faq.shtml
http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink
http://getahead.org/blog/joe/2007/01/01/csrf_attacks_or_how_to
http://www.squarefree.com/securitytips/web-developers.html
http://www.tux.org/~peterw/csrf.txt

A recent announcement by Princeton researchers of four major Web
sites on which they found
http://www.darkreading.com/document.asp?doc_id=164854&WT.svl=news1_1
exploitable cross-site request forgery vulnerabilities. The sites are
the
NYTimes, YouTube, Metafilter, and INGDirect. All but the NYTimes
site have patched the hole. "... four major Websites susceptible
to the silent-but-deadly cross-site request forgery attack including
one on INGDirect.com's site that would let an attacker transfer money
out
of a victim's bank account ... Bill Zeller, a PhD candidate at
Princeton,
says the CSRF bug that he and fellow researcher Edward Felton found on
INGDirect.com represents ... 'the first example of a CSRF attack that
allows money to be transferred out of a bank account that [we're] aware
of.' ... CSRF is little understood in the Web development community, and

it is therefore a very common vulnerability on Websites. 'It's basically

wherever you look,' says [a security researcher]." Here are Zeller's
 
http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks

Freedom to Tinker post and the
http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf
research paper (PDF).

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827