Monday, May 21, 2007

CSRF and the Perils of Convenience

Since the recent advent of tabbed browsing, I've become a fan.

The idea that you can log into email, then open a new tab and browse news, then open yet another tab and check your bank account, then open another one and search for a recipe... this is a welcome addition to Internet browsing, and a very convenient and excellent way to surf.

Or is it?

Today, Ray Dickenson, our head of Innovation, gave me an update on what hackers are doing with cross-site scripting (XSS) in the form of the new "headed for prime time" version: cross-site request forging (otherwise known as CSRF, or "sea-surf").

Note: When an attack has a snappy name, you know it's headed for prime time.

The CSRF attack is also known as the "Confused Deputy" attack (hey - another snappy name!) because it confuses a source of authority (i.e. your web browser) into permitting something to happen that shouldn't (i.e. like using your logged-in identity to transfer funds.)

This is a potential problem for those of us that like tabbed browsing, because chances are, you're logged into something useful/valuable via one of those windows.

Here's the scam: you wake up, turn on your PC, and log into your bank. You check your stocks, make sure your spouse's current account activity is in line with what you expected, then open a new tab. You check the news. Then you open a new site, and search for something interesting and the search takes you to a video site. The video has a title and a sexy splash shot guaranteed to make you click. So you do.

Unfortunately, buried in the HTML request associated with the hyperlink you just clicked on (attention web developers: forget what you've heard, both GET and POST requests are equally vulnerable) is an HTML request that includes a request to your (top-five branded) bank to transfer a thousand bucks to an account on the same network.

And if the scammers are even a little bit into taking the trouble to create a good user experience, the same link will even launch the requested video using AJAX, without triggering javascript cross-site scripting protections.

Here's what happens next: while you watch the video - and are mightily entertained - the hidden request is sent to the online bank you stayed logged into in your other tab, and, if it is within your daily limits, executed.

Do you get a pop-up window, asking you to approve the transfer? Maybe, but not at all sites. Would you read it? Hopefully - but not at all times. Either way, statistically, the scammer wins.

The user defense to this is easy: never launch another browser window without logging out of the first one (goodbye, tabs!), clear out your cookie cache after every session, and learn to "just say no" when a web portal offers to store that login state for you for *two weeks*.

The web developer defense is easy, but invisible to users - read up on plugging in user-specific session tokens, hidden input fields, and "double submission of cookies" using Ajax, folks. You may not garner any respect from users upon implementing this - it is nigh impossible for a user to know you've implemented session-specific tokens, for instance, unless they peruse your code - but at least you'll feel better knowing you made the net a safer place.

My prediction? CSRF and Confused Deputy attacks will, with the growth of tabbed browsing and persistent login, grow to become a major issue. They will cause pain for us "triple-tabbers" for years to come.

Note: You don't really need to be using tabbed browsers to get hit by this attack - if you don't log out, and your site doesn't expire the cookie automatically, you're still vulnerable. As for the tabbed browser focus, I just focused on tabbed browsers because I like them.

No comments: