Information Security News mailing list archives
Nasty web bug descends on world's most popular sites
From: InfoSec News <alerts () infosecnews org>
Date: Tue, 30 Sep 2008 03:17:38 -0500 (CDT)
http://www.theregister.co.uk/2008/09/30/web_bug_bites_sites/ By Dan Goodin in San Francisco The Register 30th September 2008 Underscoring the severity of of an exotic form of website bug, security researchers from Princeton University have cataloged four cross-site request forgeries in some of the world's most popular sites. The most serious vulnerability by far was in the website of global financial services company ING Direct. The flaw could have allowed an attacker to transfer funds out of a user's account, or to create additional accounts of behalf of a victim, according to this post [1] from Freedom to Tinker blogger Bill Zeller. The vulnerabilities were confirmed for users of Firefox and Internet Explorer browsers, and ING's use of the secure sockets layer protocol did nothing to prevent the attack. ING plugged the hole after Zeller and colleague Ed Felton reported it privately. Cross-site request forgery (CSFR) vulnerabilities occur when a website carries out an action without first confirming it was requested by the authenticated user. Miscreants can exploit this shortcoming by including code on an attack site that causes the user's browser to send commands to a site such as ING.com. ING.com then carries out the command under the mistaken notion that because it was requested by the browser, it was invoked by the user. [1] http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks [...] __________________________________________________ Register now for HITBSecConf2008 - Malaysia! With a new triple-track conference featuring 4 keynote speakers and over 35 international experts, this is the largest network security event in Asia and the Middle East! http://conference.hackinthebox.org/hitbsecconf2008kl/
Current thread:
- Nasty web bug descends on world's most popular sites InfoSec News (Sep 30)