CSRF bug on INGDirect.com could have allowed fraudulent transfers

by Steve Ragan - Sep 30 2008, 11:12

Researchers from Princeton University released a paper Monday that detailed Cross-Site Request Forgery (CSRF) vulnerabilities on four major Web sites. One of the CSRF flaws, located on INGDirect.com, could have allowed criminals to trick users into making fund transfers before the error was fixed.

CSRF describes an attack that forces a user’s browser to take an action on another page with no warning or knowledge on the part of the user.

Bill Zeller and Edward Felton discovered CSRF flaws on NYTimes.com, MetaFilter.com, YouTube.com, and INGDirect.com; with the most damning of the flaws being on ING’s Web site. ING is the fourth-largest savings bank in the United States, with over $62 billion USD in assets and over four million customers.

“We discovered CSRF vulnerabilities in ING’s site that allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user’s account to the attacker’s account,” the research paper noted, adding that SSL did nothing to prevent the attack. “Since ING did not explicitly protect against CSRF attacks, transferring funds from a user’s accounts was as simple as mimicking the steps a user would take when transferring funds.”

Before the research was published, the CSRF problem on ING’s site had been fixed, and the steps covered in the report subsequently failed to work.

The CSRF flaw on the NYTimes site, which was still valid as of September 24 of 2008, allows an attacker to collect the e-mail addresses of registered users.

“To exploit this vulnerability, an attacker causes a logged-in user’s browser to send a request to the NYTimes.com “Email This” page. The page accepting “Email This” requests does not protect against CSRF attacks, so the user’s browser will cause a request to be sent to NYTimes.com that will trigger it to send an email to an address of the attacker’s choosing. If the attacker changes the recipient email address to his own email address, he will receive an email from NYTimes.com containing the user’s email address,” the researchers reported.

On MetaFilter.com an attacker is able to control user accounts by exploiting two CSRF flaws. The first flaw forces a user to add the attacker to their account contact list. Once added, the second flaw allows the attacker to change the user’s e-mail address. This new address could then be used to exploit the 'Lost Password' feature on MetaFilter.com. This flaw has also since been fixed. 

The final CSRF flaw, discovered on video-sharing site YouTube (and currently fixed) allowed an attacker to "add videos to a user’s "Favorites," add themself to a user’s "Friend" or "Family" list, send arbitrary messages on the user's behalf, flag videos as inappropriate, automatically share a video with a user's contacts, subscribe a user to a "channel", and add videos to a user's "QuickList".

The research and its examples are great learning material for CSRF vulnerabilities.

You can read the whole paper by clicking here.

Around the Web