[Slashdot] CSRF Flaws Found On Major Websites, Including a Bank

  • Hey - turns out IRC is out and something a little more modern has taken it's place... A little thing called Discord!

    Join our community @ https://discord.gg/JuaSzXBZrk for a pick-up game, or just to rekindle with fellow community members.

RSS

RSS

I spam, therefore I am. <a href='/showthread.php?t
Aug 6, 2007
49,223
0
An anonymous reader sends a link to DarkReading on the recent announcement by Princeton researchers of four major Web sites on which they found exploitable cross-site request forgery vulnerabilities. The sites are the NYTimes, YouTube, Metafilter, and INGDirect. All but the NYTimes site have patched the hole. "...four major Websites susceptible to the silent-but-deadly cross-site request forgery attack &mdash; including one on INGDirect.com's site that would let an attacker transfer money out of a victim's bank account... Bill Zeller, a PhD candidate at Princeton, says the CSRF bug that he and fellow researcher Edward Felton found on INGDirect.com represents... 'the first example of a CSRF attack that allows money to be transferred out of a bank account that [we're] aware of.'... CSRF is little understood in the Web development community, and it is therefore a very common vulnerability on Websites. 'It's basically wherever you look,' says [a security researcher]." Here are Zeller's Freedom to Tinker post and the research paper (PDF).
Read more of this story at Slashdot.
</img>
X1GdZ11zk78


More...
 
You must log in or register to reply here.
Top Bottom
Back