Expert Shows How Hackers Can Use CSRF Browser Vulnerability

The hacker that breached GitHub returns with other interesting finds

By on March 31st, 2012 11:02 GMT

Egor Homakov, the hacker that’s famous for hacking GitHub to demonstrate a vulnerability, warns that cross-site request forgery (CSRF), a security hole that affects all browsers, must be addressed immediately because it poses a great risk for unsuspecting users.

Homakov claims that CSRF security holes are present for a long time now, but many have underestimated the dangers that hide behind them. Unlike cross-site scripting (XSS) attacks which exploit the trust of a user towards a particular site, CSRF attacks rely on the trust that a site has in a browser.

The expert explains that when users sign in to any site, dubbed by the researcher as site1.com, they are remembered by the cookie mechanism. By leveraging the vulnerability, the hacker can shorten the website’s session and social engineer the victim into signing in again.

The user signs in the second time and a malicious script is triggered. Then, when the internaut visits a second site, named site2.com, the magic starts.

“You visit site site2.com. No matter how you got there - let's assume friend gave you the linkThat site sells ‘iframe traffic’ (or just contains malicious code itself). It means that funny site uses your browser (and your accounts on all sites where you are logged in!!),” Homakov wrote.

“You know nothing and notice nothing. Hidden iframe loads malicious Javascript which executes POST(or GET/DELETE/PATCH etc - all HTTP Verbs are supported) by submitting generated <form> with specific params.

“Form's action points to site1.com/someaction, form's target - name of another hidden iframe. Then, code fires up formObject.submit(). It is manual form submitting.”

At this point, a request has been sent to site1.com/someaction and the hacker can post on the victim’s blog or his social media account, he can access his online banking accounts, or perform other malicious actions on the user’s behalf.

He believes that in order to fix the issue, browsers should be designed to deny be default potentially malicious requests, unless the user accepts them.

For a small demonstration of the issue, try logging in to an account, for instance, a Gmail account. Then, go to the researcher’s blog. Now, when you try to access the same Gmail account in another tab, you will notice that the session abruptly ended and you are logged out.

The expert claims that further “top secret” information will be made available on April 1.

Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.

Comments