Princeton University security researchers have released a report revealing that four popular sites were recently attacked by CSRF (Cross-Site Request Forgery or 'seasurf') exploits. The vulnerabilities were discovered in The New York Times, MetaFilter, YouTube, and ING Direct. The New York Times exploit used the Time’s 'email story' feature, which compromised user email addresses. The MetaFilter exploit allowed attackers to take over a user’s account, and the YouTube hack could have pretty much done anything to a user’s profile. The most serious attack was ING’s, what the researchers believe is the first published attack on a financial institution.
"We discovered CSRF vulnerabilities in ING's site that allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user's account to the attacker's account.”
The danger of CSRF attacks is that they come from trusted sites:
"Cross-Site Request Forgery (CSRF) attacks occur when a malicious web site causes a user’s web browser to perform an unwanted action on a trusted site. These attacks have been called the “sleeping giant” of web-based vulnerabilities, because many sites on the Internet fail to protect against them and because they have been largely ignored by the web development and security communities."
The researchers advised the sites of the attacks, and the issues have been resolved.
The researchers expect to see a growth in CSRF attacks as web interactivity continues. “As more capabilities are added to browser clients, and as more sites involve sophisticated programming and client-server interactive services, CSRF and related attacks will become more prevalent unless defenses are adopted.” They have created a Firefox plugin which will protect from future CSRF attacks.