Researchers find security holes in NYT, YouTube, ING, MetaFilter sites

Attackers could have used vulnerabilities on several Web sites to compromise people's accounts, allowing them to steal money, harvest e-mail addresses, or pose as others online.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Updated at 1:30 p.m. PDT with the New York Times saying they fixed the hole.

A new report from researchers at Princeton University reveals serious Web site security holes that could have been exploited to steal ING customers' money and compromise user privacy on YouTube, The New York Times' Web site, and MetaFilter.

The sites have all fixed the holes after being notified by the report's (PDF) researchers, William Zeller and renowned security and privacy researcher and Princeton computer science professor Edward Felten.

The vulnerability arises from a coding flaw that could allow someone to do a cross-site request forgery (CSRF) attack in which a "malicious Web site causes a user's Web browser to perform an unwanted action on a trusted site," according to the report.

"These attacks have been called the 'sleeping giant' of web-based vulnerabilities, because many sites on the Internet fail to protect against them and because they have been largely ignored by the web development and security communities," Zeller and Felten wrote.

On the ING site, the vulnerability could have allowed an attacker to open an account on behalf of a customer and transfer funds from the customer's legitimate account into that account.

The YouTube hole could have allowed an attacker to add videos to a user's "favorites," join the user's "friend" or "family" list, send messages on behalf of the user, flag videos as inappropriate and share video with the user's contacts, among other things.

On blogging site MetaFilter, an attacker could have exploited the vulnerability to take control of a user's account.

And The New York Times site vulnerability could have allowed an attacker to harvest e-mail addresses of people who use a feature on the site to e-mail articles to other people. The victim's e-mail address could then be used for spamming.

The report says The New York Times site had not been entirely fixed. However, a New York Times spokeswoman said it now has been.

"We take the security of our site and our users very seriously and act quickly to address any vulnerabilities," she said in a statement. "The issues outlined in the report have been resolved. We were notified last year by Ed Felten about 'E-mail This' and fixed the problem he outlined then within days. On Tuesday, we were alerted to a more complicated variant of the same problem (in their blog post) and we closed that security hole immediately."

The researchers suggest fixes that Web sites can make on their servers to close the security hole and they released a Firefox plug-in that can protect consumer PCs even if sites have not fixed the vulnerability.

(Via IDG News Service.)

In this illustration of a cross-site request forgery attack, a malicious Web site causes a user's browser to send a request to a trusted site. The trusted site sees a valid, authenticated request from the browser and does what is asked. "CSRF attacks are possible because Web sites authenticate the web browser, not the user," the report says. William Zeller and Edward Felten