Cross-site Request Forgery are carried out from a computer system or user that is trusted by a website. Cookies that do not expire after a user closes the website or web browser are one of the most common forms of trust that can be exploited by cross-site request forgery attacks. The attacker needs to use the user’s web browser to send HTTP requests to the target website which is usually accomplished by posting these links in emails, forums, chats and other means of communication.
At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user’s web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action. (source Wikipedia)
Google has (finally) started to implement cross-site request forgery protections to protect Google users and their online services according to an article posted at the Register.
Sometime in the last three days, Google’s login pages began setting a cookie with a unique token on each user’s browser, according to Mike Bailey, a senior researcher for Foreground Security. That same value is also embedded into the login form. If the two don’t match, the user will be unable to log in.
Security experts have criticized Google in the past for not implementing a cross-site request forgery protection. Google engineers were quick to close security vulnerabilities that were caused by this attack type but did not implement a generic protection against these types of attacks.
Read Related Posts
-
Cross Site Scripting
-
Test The Phishing Protection In Firefox
-
Phishing Protection Tips
-
Gmail Increases Email Security With Phishing Protection
-
Secure Login with Firefox
-
Why is Google.com redirecting me to another Google domain ?
-
Protect PayPal Accounts With VeriSign Identity Protection Devices
-
Log Into Multiple Accounts Simultaneously
