Simon Willison’s Weblog

Subscribe
Atom feed for bill-zeller

2 items tagged “bill-zeller”

2008

We've found CSRF vulnerabilities in sites that have a huge incentive to do security correctly. If you're in charge of a website and haven't specifically protected against CSRF, chances are you're vulnerable.

Bill Zeller

# 29th September 2008, 1:11 pm / bill-zeller, csrf, security

Popular Websites Vulnerable to Cross-Site Request Forgery Attacks. Ed Felten and Bill Zeller announce four CSRF holes, in ING Direct, YouTube, MetaFilter and the New York Times. The ING Direct hole allowed transfer of funds out of a user’s bank accounts! The first three were fixed before publication; the New York Times hole still exists (despite being reported a year ago), and allows you to silently steal e-mail addresses by CSRFing the “E-mail this” feature.

# 29th September 2008, 1:08 pm / csrf, edfelten, bill-zeller, security, ingdirect, youtube, metafilter, new-york-times