Not long after the Web browser intranet hacking incident targeting DSL users in Mexico comes another DNS-pharming attack exploiting AT&T 2Wire DSL modems. Check out how simple these two sample URLs are for CSRFing victims:
This type of intranet CSRF hack is super easy to pull off since you only need to place specially-crafted URLs inside of an HTML image tag and post it to any public website. MySpace, WebMail, blogs, message boards, etc. all would make great avenues for snare the unsuspecting. Who knows where the victims in this case were originally exploited. The first person to notice only did so by using ping and spotted an odd IP address.
If we get a third event in rapid succession, I’d say that’s the start of a trend. Perhaps we should start advocating a new best practice, host-based egress rules. Little Snitch works great on OS X. In fact, I’ve already started implicitly blocking intranet connections from my browser specifically to my DSL router IP. Hopefully the browser vendors will give the remaining 99.99% something soon by default.
I love CSRF, because it is both simple and effective. First thing anyone should do when purchasing a router (or actually any type of device) is to change all of the settings from the factory defaults, or what some like to call, "Secured Defaults".
How much you wanna bet these new round of Hotmail spam attacks are a CSRF attack?
CSRF is great; most people security don't seem to understand it leave alone the developers of the world.
I've seen tons of Intranet attacks via CSRF; atleast in India.
Most broadband companies here provide custom routers with OLD firmware. Lot of CSRF bugs that are slowly picking up pace with exploitation.
CTO, Security Brigade
Penetration Testing, PCI DSS Compliance, Security Consulting etc.
Actually The First One Gave An Error And Asked me To Set A New Pass If Someone managed to allow multiple accounts used at once in windows and created an acoount and changed the settings in the registry so you can't see the account i wonder what kind of servers they would like to run on your computer ... =0
Post a Comment