Tuesday 21 July 2015

 

The threat of login CSRF

Login CSRF is an often overlooked web vulnerability. Developers tend to focus on securing 
user data and assume that users wouldn't voluntarily give up access to their accounts.
 Yet with login CSRF exactly this happens - attacker is giving full control of his account to 
the victim (of course it's a fake account). Once the victim and attacker are in the same 
trust domain various other attacks become possible.

Consequences can vary:

  • attacker can monitor victim's actions
  • attacker can interact with the victim without him realizing that a session swap just occured
  • some low severity bugs can become exploitable (e.g. an XSS in configuration page, that is visible only to the account holder)
  • or just google up the links, maybe you'll find some unexpired password reset links etc. that actually log you into the victim's account

To mitigate this issue don't log in users where that's not required. If it's a password reset link, only reset password, if it's an e-mail confirmation link, only confirm e-mail without loging in the user. And make sure your other login forms are CSRF protected.
BitDegree:From EA co-founder, former COURSERA Lead & 29,000,000 users. Limited 15% discount - Get Tokens!

Total Pageviews

Contact Form

Name

Email *

Message *