Description

Cross-Site Request Forgery (CSRF) attacks occur when a malicious web site causes a user’s web browser to perform an unwanted action on a trusted site. These attacks have been called the “sleeping giant” of web-based vulnerabilities, because many sites on the Internet fail to protect
against them and because they have been largely ignored by the web development and security communities. We present four serious CSRF vulnerabilities we have discovered
on four major sites, including what we believe is the first published attack involving a financial institution. These vulnerabilities allow an attacker to transfer money out of user bank accounts, harvest user email addresses, violate user privacy and compromise user accounts. We
recommend server-side changes (which we have implemented) that are able to completely protect a site from CSRF attacks. We also describe the features a server-side solution should have (the lack of which has caused CSRF protections to unnecessarily break typical web browsing behavior). Additionally, we have implemented a clientside browser plugin that can protect users from certain types of CSRF attacks even if a site has not taken steps to protect itself. We hope to raise the awareness of CSRF attacks while giving responsible web developers the tools to protect users from these attacks.