 According to a recent post and paper by Bill Zeller, The New York Times was among four popular Websites that got hacked through a CSRF vulnerability.
This CSRF vulnerability was exploited to extract the email address of a user. The attack can be used for identification (e.g., finding the email addresses of all users who visit an attacker's site) or for spam. This attack is particularly dangerous because of the large number of users who have NYTimes' accounts and because the NYTimes keeps users logged in for over a year. According to the report, the New York Times fixed this issue after a few months of prodding by the author. Here’s a great summary by the author about CSRF and how little the IT and security community know about this vulnerability: The Sleeping Giant
Cross-Site Request Forgery (CSRF) attacks occur when a malicious Website causes a user’s Web browser to perform an unwanted action on a trusted site. These attacks have been called the “sleeping giant” of Web-based vulnerabilities, because many sites fail to protect against them and they’ve been largely ignored by the Web development and security communities. CSRF attacks do not appear in the Web Security Threat Classification and are rarely discussed in academic or technical literature. CSRF attacks are simple to diagnose, simple to exploit and simple to fix. They exist because Web developers are uneducated about the cause and seriousness of CSRF attacks. Web developers also may be under the mistaken impression that defenses against the better-known Cross-Site Scripting (XSS) problem also protect against CSRF attacks. by
Erin Swanson
ESwanson@cenzic.com | 
