AOH :: IS1186.HTM

Nasty web bug descends on world's most popular sites




Nasty web bug descends on world's most popular sites
Nasty web bug descends on world's most popular sites



http://www.theregister.co.uk/2008/09/30/web_bug_bites_sites/ 

By Dan Goodin in San Francisco
The Register
30th September 2008

Underscoring the severity of of an exotic form of website bug, security 
researchers from Princeton University have cataloged four cross-site 
request forgeries in some of the world's most popular sites.

The most serious vulnerability by far was in the website of global 
financial services company ING Direct. The flaw could have allowed an 
attacker to transfer funds out of a user's account, or to create 
additional accounts of behalf of a victim, according to this post [1] 
from Freedom to Tinker blogger Bill Zeller.

The vulnerabilities were confirmed for users of Firefox and Internet 
Explorer browsers, and ING's use of the secure sockets layer protocol 
did nothing to prevent the attack. ING plugged the hole after Zeller and 
colleague Ed Felton reported it privately.

Cross-site request forgery (CSFR) vulnerabilities occur when a website 
carries out an action without first confirming it was requested by the 
authenticated user. Miscreants can exploit this shortcoming by including 
code on an attack site that causes the user's browser to send commands 
to a site such as ING.com. ING.com then carries out the command under 
the mistaken notion that because it was requested by the browser, it was 
invoked by the user.

[1] http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks 

[...]


__________________________________________________      
Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
http://conference.hackinthebox.org/hitbsecconf2008kl/ 

Site design & layout copyright © 1986-2014 CodeGods