Cross-site Request Forgery attacks are carried out from a computer system or user that is trusted by a website.
Cookies that do not expire after a user closes the website or web browser are one of the most common forms of trust that can be exploited by cross-site request forgery attacks.
The attacker needs to use the user's web browser to send HTTP requests to the target website which is usually accomplished by posting these links in emails, forums, chats and other means of communication.
At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user's web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action. (source Wikipedia)
Google has (finally) started to implement cross-site request forgery protections to protect Google users and their online services according to an article posted by the Register.
Sometime in the last three days, Google's login pages began setting a cookie with a unique token on each user's browser, according to Mike Bailey, a senior researcher for Foreground Security. That same value is also embedded into the login form. If the two don't match, the user will be unable to log in.
This means basically that Google compares the cookie set on the user system to information embedded on the company's login forms to block access to an account if the two don't match.
Security experts have criticized Google in the past for not implementing a cross-site request forgery protection. Google engineers were quick to close security vulnerabilities that were caused by this attack type but did not implement a generic protection against these types of attacks.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.