A team of security researchers from Princeton University have listed cross-site request forgeries (CSRF) threats on four prominent websites, including YouTube, MetaFilter, ING Direct and the New York Times.
Although, YouTube, MetaFilter and ING Direct have already taken actions for fixing the bug, the New York Time’s website is yet to address the flaw; the researchers mentioned in a blog post.
According to the researchers one these vulnerabilities allow hackers to create a fake account on ING Direct’s website on behalf of the user and transfer funds from the user’s account to his account.
CSRF vulnerability would exploit the New York Times’ website for exploring new email addresses for spamming activities, whereas attackers could take over the user’s page on Metafilter, through the lost password feature.
Furthermore, the team stated that YouTube website is more prone to scripting attacks on almost every action a user performs on the website.
The researchers claimed that they have created two tools to counter the CSRF attacks, of which, one is a server-oriented tool that can protect the vulnerable site from CSRF attacks, whereas, the other one is client-oriented tool that is specifically designed for protecting users.