Don't Let Bad Guys Pose as YouFlaws let attackers trick a Web site into providing your personal information.
Erik Larkin is an associate editor PC World. Send e-mail to firstname.lastname@example.org.
Illustration by Mark Matcho
Google recently fixed such a flaw that malefactors could exploit to steal a Gmail user's full contact list. The threat used the arcane-sounding "cross-site request forgery" (CSRF) strategy. The ploy is similar to cross-site scripting (XSS) attacks, in which attackers booby-trap a trusted site by rigging it with links that take the visitor to malicious destinations. But whereas XSS attacks exploit the trust that a user has for a site, CSRF attacks exploit the trust a Web site has for a user, according to WhiteHat Security chief technology officer Jeremiah Grossman.
Once you are logged in to a Web site, it trusts all requests that come from your browser. So CSRF forgeries simply trick your browser into sending a request for, say, your contact list -- or as happened with a recently repaired flaw on the Netflix site, a request to change your movie queue or account details. Conceivably, such attacks could also allow someone to transfer money from your bank account, though that kind of theft would be much more difficult to pull off because of the higher level of security used by most financial institutions.
"The attack would be pretty much invisible," Grossman says. What's more, he notes, it's next to impossible to tell whether anyone actively exploited the hole during the relatively short interval between its public release and its fix.
Though the CSRF threat isn't trivial, you needn't completely distrust the Web yet. Banking and other financial sites will automatically log you out after a set period of inactivity. And attacks must be specially crafted for each site. An attack that worked on Google wouldn't work on Yahoo, for instance.
Another reason not to panic is that CSRF-type exploits are still in their very early stages, and Internet criminals have easier, more reliable ways to make a buck -- such as by infecting computers with Trojan horses or creating botnets. But just as malware has grown much more sophisticated, CSRF threats undoubtedly will, too.