In a disclosure that has implications for the security of e-commerce and Web 2.0 sites everywhere, a researcher has perfected a technique for stealing unique identifiers used to prevent unauthorized access to email accounts and other private resources.
Websites typically append a random sequence of characters to URLs after a user has entered a correct password. The token is designed to prevent CSRF (cross-site request forgery) attacks, which trick websites into executing unauthorized commands by exploiting the trust they have for a given user’s browser. The token is generally unique for each user, preventing an attacker from using CSRF attacks to rifle through a victim’s account simply by sending a generic URL to a website.
Now, a researcher who goes by the name Inferno has come up with a way to guess CRSF tokens using brute forcing techniques by combining it with a much older attack. As researchers have pointed out for years, it’s trivial for website owners to steal a complete copy of most people’s recent browsing history using what’s known as CSS history hacking. By checking each visitor for a long list of possible tokens belonging to highly desirable websites (think Gmail, eBay, and the like), an unscrupulous webmaster can determine a CSRF token with minimal fuss.
Some tips to protect your session from CSRF vulnerability are:
- Client-Side Solution (for your customers/users):
- Use a browser plugin such as SafeHistory, which defends against visited-link-based tracking techniques.
- Use the private browsing mode in your browser.
- Server-Side Solution (for developers):
- Make your CSRF tokens long enough (8 or more chars) to be unfeasible for a CLIENT SIDE attack. The ever-increasing processing power will make this attack feasible for longer tokens as well.
- Store your CSRF token as part of hidden form field, rather than putting in url.
- Use a different random token for every form submission and not accept any obsolete token, even for the same session.