Tech Support Forum banner
Status
Not open for further replies.

Top websites hit by hijack flaw

870 views 0 replies 1 participant last post by  sjb007 
#1 ·
Two Princeton University academics have found a type of coding flaw on several prominent Websites that could jeopardise personal data and in one alarming case, drain a bank account.

The type of flaw, called cross-site request forgery (CSRF), allows an attacker to perform actions on a website on behalf of a victim who is already logged into the site.

CSRF flaws have largely been ignored by web developers due to a lack of knowledge, wrote William Zeller and Edward Felten, who authored a research paper on their findings.

The flaw was found on the websites of The New York Times; ING Direct, a US savings bank; Google's YouTube; and MetaFilter, a blogging site.

To exploit a CSRF flaw, an attacker has to create a special web page and lure a victim to the page. The malicious website is coded to send a cross-site request through the victim's browser onto another site.

Unfortunately the programming language that underpins the Internet, HTML, makes it easy to do two types of requests, both of which can be used for CSRF attacks, the authors wrote.

That fact points to how web developers are pushing the programming envelope to design web services but sometimes with unintended consequences.

"The root cause of CSRF and similar vulnerabilities probably lies in the complexities of today's web protocols and the gradual evolution of the web from a data presentation facility to a platform for interactive services," according to the paper.

Full article here - http://www.techworld.com/news/index.cfm?RSS&NewsID=105083
 
See less See more
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top