Like a con artist who disguises himself as you so he can walk unmolested into your office building, a small but growing type of online threat takes advantage of Web site programming flaws to try to access your online accounts.
Google recently fixed such a flaw that malefactors could exploit to steal a Gmail user's full contact list. The threat used the arcane-sounding "cross-site request forgery" (CSRF) strategy. The ploy is similar to cross-site scripting (XSS) attacks, in which attackers booby-trap a trusted site by rigging it with links that take the visitor to malicious destinations. But whereas XSS attacks exploit the trust that a user has for a site, CSRF attacks exploit the trust a Web site has for a user, according to WhiteHat Security chief technology officer Jeremiah Grossman.
Once you are logged in to a Web site, it trusts all requests that come from your browser. So CSRF forgeries simply trick your browser into sending a request for, say, your contact list -- or as happened with a recently repaired flaw on the Netflix site, a request to change your movie queue or account details. Conceivably, such attacks could also allow someone to transfer money from your bank account, though that kind of theft would be much more difficult to pull off because of the higher level of security used by most financial institutions.
In the case of the Gmail flaw, if you visited a rigged site while logged into your Gmail account, embedded JavaScript code on that site could dispatch an invisible request to Google asking it to send your contact list to the site. You wouldn't even need to have Gmail open in your browser: If you chose the convenient 'Remember me' log-in option, or if you used the Google Toolbar or some other browser plug-in, you would be logged in as far as your browser was concerned.
"The attack would be pretty much invisible," Grossman says. What's more, he notes, it's next to impossible to tell whether anyone actively exploited the hole during the relatively short interval between its public release and its fix.
Though the CSRF threat isn't trivial, you needn't completely distrust the Web yet. Banking and other financial sites will automatically log you out after a set period of inactivity. And attacks must be specially crafted for each site. An attack that worked on Google wouldn't work on Yahoo, for instance.
Another reason not to panic is that CSRF-type exploits are still in their very early stages, and Internet criminals have easier, more reliable ways to make a buck -- such as by infecting computers with Trojan horses or creating botnets. But just as malware has grown much more sophisticated, CSRF threats undoubtedly will, too.
The NoScript Firefox add-on can safeguard you against some CSRF threats by blocking JavaScript on unknown sites, but many attacks permutations will still work, unfortunately. Also, these forgeries don't depend on a particular browser, and will happily trick a vulnerable site by means of Firefox, Internet Explorer, or any other browser. In general, though, because the flaws exist in Web sites, the sites themselves will have to generate the fixes.
Erik Larkin
