search

Real-World CSRF Attacks & Prevention

hashtag
About

CSRF occurs when an attacker forces an authenticated user to perform unwanted actions on a web application without their consent. The attack is successful when the victim’s browser automatically sends session cookies (authentication credentials) along with the forged request.

hashtag
The Samy Worm (2005) - MySpace CSRF Attack

hashtag
What Happened?

  • The attacker (Samy Kamkar) exploited a CSRF vulnerability in MySpace.

  • He injected a self-replicating JavaScript payload that automatically added him as a friend when any logged-in user viewed his profile.

  • The worm spread rapidly, infecting over 1 million accounts within 24 hours.

hashtag
How It Worked

<img src="http://www.myspace.com/addfriend.php?friend_id=12345" />

  • Any logged-in user who viewed Samy’s profile automatically sent a request to add him as a friend without their knowledge.

hashtag
Gmail CSRF Attack (2007) – Stealing Emails

hashtag
What Happened?

  • A researcher demonstrated a CSRF attack that stole Gmail emails.

  • Victims who were logged into Gmail could be tricked into visiting a malicious webpage.

  • The webpage contained a CSRF attack that forwarded the victim’s emails to the attacker’s account.

hashtag
How It Worked

  • As soon as the victim loaded the page, their emails were forwarded without their consent.

hashtag
PayPal CSRF Attack (2010) – Unauthorized Fund Transfer

hashtag
What Happened?

  • An attacker demonstrated how CSRF could be used to transfer money from a PayPal account.

  • The attacker hosted a malicious webpage that contained a hidden form that automatically submitted a money transfer request.

hashtag
How It Worked

  • If a logged-in PayPal user visited this page, money was transferred to the attacker’s account automatically.

hashtag
Netflix CSRF Attack (2008) – Changing Account Details

hashtag
What Happened?

  • A vulnerability allowed attackers to change email addresses and passwords of Netflix users.

  • If a user was logged in and visited a malicious site, their Netflix account was hijacked.

hashtag
How It Worked

  • The victim’s Netflix account email was changed to an attacker-controlled email, effectively locking them out.

hashtag
ING Bank CSRF Attack (2013) – Unauthorized Money Transfers

hashtag
What Happened?

  • Dutch bank ING suffered from a CSRF vulnerability that allowed attackers to initiate unauthorized transactions.

hashtag
How It Worked

  1. Victim logs into their ING bank account.

  2. Victim visits a malicious webpage with an invisible form submission.

  3. The bank processes the forged request, transferring money to the attacker.

PreviousCSRFNextCORS

Last updated