Popular Websites Vulnerable to Cross-Site Request Forgery Attacks

221255 Resource 202615 202768 202768 1229737451585 1229737868683 Controlled Real World Hacking Example: The New York Times

CSRF vulnerability in the New York Times Website allows hackers to detect email addresses of users

<a href="http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks"><img alt="Real-world hacking example - the new york times" hspace="10" src="http://www.cenzic.com/images/blog/hacker_gold.jpg" align="right" vspace="10" border="0" /></a>According to a recent <a title="Real world examples of hacking - the new york times" href="http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks" target="_blank">post</a> and <a title="CRSF vulnerability examples - 4 popular Websites hacked" href="http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf" target="_blank">paper</a> by Bill Zeller, The New York Times was among four popular Websites that got hacked through a CSRF vulnerability.  This CSRF vulnerability was exploited to extract the email address of a user.  The attack can be used for identification (e.g., finding the email addresses of all users who visit an attacker's site) or for spam. This attack is particularly dangerous because of the large number of users who have NYTimes' accounts and because the NYTimes keeps users logged in for over a year.  According to the report, the New York Times fixed this issue after a few months of prodding by the author.  Here’s a great summary by the author about CSRF and how little the IT and security community know about this vulnerability:The Sleeping Giant Cross-Site Request Forgery (CSRF) attacks occur when a malicious Website causes a user’s Web browser to perform an unwanted action on a trusted site. These attacks have been called the “sleeping giant” of Web-based vulnerabilities, because many sites fail to protect against them and they’ve been largely ignored by the Web development and security communities.  CSRF attacks do not appear in the Web Security Threat Classification and are rarely discussed in academic or technical literature.  CSRF attacks are simple to diagnose, simple to exploit and simple to fix. They exist because Web developers are uneducated about the cause and seriousness of CSRF attacks.  Web developers also may be under the mistaken impression that defenses against the better-known Cross-Site Scripting (XSS) problem also protect against CSRF attacks.by Erin Swanson <a href="mailto:ESwanson@cenzic.com">ESwanson@cenzic.com</a> 9 application/xml false hack new york times Popular Websites Vulnerable to Cross-Site Request Forgery Attacks 4 real-world example of how hackers attack Websites http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks Cross-Site Request Forgeries: Exploitation and Prevention Read this 13 page paper on CSRF http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) 127.0.0.1 127.0.0.1 eswanson 64.60.123.45 false true false false true 204329 false false true false false false true 247601 Resource 204329 173239 173239 1261619818987 1261619818987 Controlled RE: Real World Hacking Example: The New York Times

Winter is coming ,many people are afraid of cold,especially the feet.then you must something to keep warm,I think you need a pair of snow boots,made of wool.such as UGG boots,tall boots,short boots or mini boots,Very warm to wear them.And the style ,the color also the material,the quality are very good .Walking in the fashion front. welcome to my web http://www.uggboots-space.com 10 application/xml true Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 GTB6 127.0.0.1 127.0.0.1 59.58.175.182 false true false false true 202615 blog blogsite/Cenzic/web