Researcher Lance James has been busy devising ways to play tricks on some of the world's bigger websites using an exotic attack known as CSRF, or cross site request forgery. While his exploits amount to little more than pranks, they point to the very sobering realization that the net isn't a very secure place. One proof-of- …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 27th March 2009 23:49 GMT Del Merritt

Scarily cool

Very slick. NoScript and Adblock were of no help there.

0 0
Saturday 28th March 2009 16:57 GMT Anonymous Coward

Seems like...

...someone should use this to add a Rick Astley documentary to peoples' Netflix queues... Assuming there is one. There's gotta be, right?

0 0
Saturday 28th March 2009 16:57 GMT lupine

hiring

i wonder if chuck can code...an ideal site admin methinks

0 0
Saturday 28th March 2009 16:57 GMT Anonymous Coward

Surprise!

Just when I forgot that the web is pants, someone reminded me! Just in the nick of time, too. I was about to trust a load of websites with my naked pictures.

0 0
Sunday 29th March 2009 00:18 GMT Mark McC

Scary, but it's no Chuck Norris

When someone exploits a vulnerability that steals your passwords, edits your details and finishes off by roundhouse kicking your monitor through a window, then, and only then, will they be entitled to use the Chuck Norris analogy.

0 0
Sunday 29th March 2009 17:35 GMT Anonymous Coward

Doesnt work for me

I have netflix in my "trusted zone" and of course the demo page is not in my trusted zone, so it doesnt work. So thats what "zones" are for ;)

0 0
Sunday 29th March 2009 21:21 GMT Anonymous Coward

Oops

Seems I was wrong, the "trusted zones" approach DID NOT protect against this. Oh well.

0 0
Monday 30th March 2009 08:49 GMT Anonymous Coward

Just think...

...how you could mess with the stats!

And this weeks No 1 film (by popular demand) is: ishtar!

0 0
Monday 30th March 2009 08:49 GMT Wortel

Very nice

Now that's some serious inventiveness. Well done on him, and now we'll soon see what's needed to plug the holes properly.

0 0
Monday 30th March 2009 08:49 GMT Anonymous Coward

Interesting.

I got a notification that i was not in the US.

Does anyone know if it works across browser instances ?

0 0
Monday 30th March 2009 13:49 GMT Elmer Phud

@ Mark McC

"When someone exploits a vulnerability that steals your passwords, edits your detail"

You missed out "just with his teeth".

0 0
Monday 30th March 2009 13:56 GMT Glyn Kennington

GET and POST

Those demonstrations have to submit the cross-site requests as HTTP GET, because they're images and redirects (which happen automatically). But the requests being made are state-changing, so they should be POSTs (requiring user interaction). How would a check in the website's server-side form processing for GET vs POST (or for the HTTP referrer, for that matter) inconvenience the user?

0 0
Monday 30th March 2009 15:02 GMT Colin Millar

I blame apple

For inventing iFrames

0 0
Tuesday 31st March 2009 10:21 GMT Ian

lol?

"While his exploits amount to little more than pranks, they point to the very sobering realization that the net isn't a very secure place."

Hi Dan,

Welcome to 1995, the year when everyone else already figured this out.

By sobering realization I can only assume you mean you've been too drunk to notice the net is inherently insecure for the last 14 years.

0 0