March 31, Softpedia – (International) Expert shows how hackers can use CSRF browser vulnerability. The hacker who broke into GitHub to demonstrate a vulnerability warns that cross-site request forgery (CSRF), a security hole that affects all browsers, must be addressed immediately because it poses a great risk for unsuspecting users. He claims CSRF security holes have been present for a long time, but many underestimated the dangers hiding behind them. Unlike cross-site scripting attacks which exploit the trust of a user towards a particular site, CSRF attacks rely on the trust that a site has in a browser. The expert explains that when users sign in to any site, dubbed by the researcher as site1.com, they are remembered by the cookie mechanism. By leveraging the vulnerability, the hacker can shorten the Web site’s session and social engineer the victim into signing in again. The user signs in the second time and a malicious script is triggered. Then, when the user visits a second site, named site2.com, the exploit begins.
Ali Loney, on March 31, 2012