Four top sites vulnerable to attack, warn researchers

Four leading Web sites were or are vulnerable to attack through an underrated vulnerability, according to Princeton University researchers. While ING Direct, YouTube and Metafilter have taken action to address the cross-site-request-forgery (CSRF) vulnerabilities, the fourth site, belonging to The New York Times, has not been fixed, the researchers claimed in a blog post.

CSRF flaws can be exploited so a user's browser is hijacked during a session and used to access a secure target site. As Web authentication normally relies on cookies containing a pseudo-random session identifier, attributed to a browser at the beginning of a session, a hacker can perform actions normally restricted to the user if that browser is hijacked during the session.

In the case of ING Direct, which the Princeton researchers said was one of the first financial services sites they had found to be vulnerable, the researchers managed to transfer funds out of user accounts and create accounts on behalf of arbitrary users.