Bitcoin Forum
December 10, 2016, 07:01:21 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: I was wondering if CSRF attacks works through images...  (Read 1195 times)
Chick
Member
**
Offline Offline

Activity: 70


View Profile
June 30, 2011, 01:49:17 AM
 #1

Since your browser goes the page itself to fetch the image for you to see I'm just curious if this would work.



Oh, thats cool, it really does log me out of Google. LOL, take a look at the url yourself.

1481396481
Hero Member
*
Offline Offline

Posts: 1481396481

View Profile Personal Message (Offline)

Ignore
1481396481
Reply with quote  #2

1481396481
Report to moderator
1481396481
Hero Member
*
Offline Offline

Posts: 1481396481

View Profile Personal Message (Offline)

Ignore
1481396481
Reply with quote  #2

1481396481
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481396481
Hero Member
*
Offline Offline

Posts: 1481396481

View Profile Personal Message (Offline)

Ignore
1481396481
Reply with quote  #2

1481396481
Report to moderator
1481396481
Hero Member
*
Offline Offline

Posts: 1481396481

View Profile Personal Message (Offline)

Ignore
1481396481
Reply with quote  #2

1481396481
Report to moderator
1481396481
Hero Member
*
Offline Offline

Posts: 1481396481

View Profile Personal Message (Offline)

Ignore
1481396481
Reply with quote  #2

1481396481
Report to moderator
qed
Full Member
***
Offline Offline

Activity: 196


View Profile
June 30, 2011, 01:54:42 AM
 #2

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

Mobile App (Android)

Monitor miners, exchange rates and Bitcoin network stats.
Chick
Member
**
Offline Offline

Activity: 70


View Profile
June 30, 2011, 01:55:20 AM
 #3

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

Yes, but your browser sends a http request to the url.

qed
Full Member
***
Offline Offline

Activity: 196


View Profile
June 30, 2011, 02:00:45 AM
 #4

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

Yes, but your browser sends a http request to the url.

But, but...

Not working + spam thread => Big fail.

Mobile App (Android)

Monitor miners, exchange rates and Bitcoin network stats.
bluefirecorp
Hero Member
*****
Offline Offline

Activity: 686


View Profile
June 30, 2011, 02:05:11 AM
 #5

What the hell, it DOES work.

Logged me outta my google account, I use windows 7 ult with google chrome
0.0

.BitDice.               ▄▄███▄▄
           ▄▄██▀▀ ▄ ▀▀██▄▄
      ▄▄█ ▀▀  ▄▄█████▄▄  ▀▀ █▄▄
  ▄▄██▀▀     ▀▀ █████ ▀▀     ▀▀██▄▄
██▀▀ ▄▄██▀      ▀███▀      ▀██▄▄ ▀▀██
██  ████▄▄       ███       ▄▄████  ██
██  █▀▀████▄▄  ▄█████▄  ▄▄████▀▀█  ██
██  ▀     ▀▀▀███████████▀▀▀     ▀  ██
             ███████████
██  ▄     ▄▄▄███████████▄▄▄     ▄  ██
██  █▄▄████▀▀  ▀█████▀  ▀▀████▄▄█  ██
██  ████▀▀       ███       ▀▀████  ██
██▄▄ ▀▀██▄      ▄███▄      ▄██▀▀ ▄▄██
  ▀▀██▄▄     ▄▄ █████ ▄▄     ▄▄██▀▀
      ▀▀█ ▄▄  ▀▀█████▀▀  ▄▄ █▀▀
           ▀▀██▄▄ ▀ ▄▄██▀▀
               ▀▀███▀▀
        ▄▄███████▄▄
     ▄███████████████▄
    ████▀▀       ▀▀████
   ████▀           ▀████
   ████             ████
   ████ ▄▄▄▄▄▄▄▄▄▄▄ ████
▄█████████████████████████▄
██████████▀▀▀▀▀▀▀██████████
████                   ████
████                   ████
████                   ████
████                   ████
████                   ████
████▄                 ▄████
████████▄▄▄     ▄▄▄████████
  ▀▀▀█████████████████▀▀▀
        ▀▀▀█████▀▀▀
▄▄████████████████████████████████▄▄
██████████████████████████████████████
█████                            █████
█████                            █████
█████                            █████
█████                            █████
█████                     ▄▄▄▄▄▄▄▄▄▄
█████                   ▄█▀▀▀▀▀▀▀▀▀▀█▄
█████                   ██          ██
█████                   ██          ██
█████                   ██          ██
██████████████████▀▀███ ██          ██
 ████████████████▄  ▄██ ██          ██
   ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ██          ██
             ██████████ ██          ██
           ▄███████████ ██████▀▀██████
          █████████████  ▀████▄▄████▀
[/]
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
June 30, 2011, 02:19:01 AM
 #6

Yes it DOES work, it's a matter of the REQUEST not the RETURN.

If you're logged in to www.xpto.com

and get into the xpto.com's attacker site www.scammerzR.us a fake image from scammerzR.us can make you perform some request at xpto.com.
Let's say, www.xpto.com's creator is lousy coder, to withdraw btc all you've to do is call withdraw.php?amount=10&addr=bitcoinAddress...
An image at scammerzR.us pointing at <img src="http://www.xpto.com/withdraw.php?amount=all&addr=scammerzRusAddress" /> would make you transfer all from your account to his.

CSRF is however a veryyyyyyyy long shot attack, the attacker has to have a reason to believe you may be logged in to the target site to input that sort of code. Normally this works better against sites like Facebook where even if currently you're not there you may have an auth cookie.
qed
Full Member
***
Offline Offline

Activity: 196


View Profile
June 30, 2011, 02:25:57 AM
 #7

Yes it DOES work, it's a matter of the REQUEST not the RETURN.

If you're logged in to www.xpto.com

and get into the xpto.com's attacker site www.scammerzR.us a fake image from scammerzR.us can make you perform some request at xpto.com.
Let's say, www.xpto.com's creator is lousy coder, to withdraw btc all you've to do is call withdraw.php?amount=10&addr=bitcoinAddress...
An image at scammerzR.us pointing at <img src="http://www.xpto.com/withdraw.php?amount=all&addr=scammerzRusAddress" /> would make you transfer all from your account to his.

CSRF is however a veryyyyyyyy long shot attack, the attacker has to have a reason to believe you may be logged in to the target site to input that sort of code. Normally this works better against sites like Facebook where even if currently you're not there you may have an auth cookie.

Not working for me on google. If it does work for www.xpto.com it plain means it is an awful site.

Mobile App (Android)

Monitor miners, exchange rates and Bitcoin network stats.
Klestin
Hero Member
*****
Offline Offline

Activity: 494


View Profile
June 30, 2011, 03:19:00 AM
 #8

It will only work on sites which take an action on a GET, since images are always a GET and not a POST.  So, rule number 1 of site design is to never do anything destructive on a GET.  In general, logging out is about the worst you can do to someone on a reputable site.
cmh
Newbie
*
Offline Offline

Activity: 21


View Profile
June 30, 2011, 03:39:24 AM
 #9

If it doesn't work for you, see if you are really logged into a "google accounts" account. It won't log you out of a regular gmail account.
cmh
Newbie
*
Offline Offline

Activity: 21


View Profile
June 30, 2011, 03:41:55 AM
 #10

Here, this one will log you out of a regular gmail account. <img src="https://mail.google.com/mail/?logout&hl=en" />
I decided to remove it so everybody doesn't get mad at me.
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 30, 2011, 05:47:10 AM
 #11

That is crazy. So when all the sites had CSRF vulnerabilities, we could have all been hijacked with imbedded images that we never see. Just browsing the forum was dangerous. I guess most CSRF exploits read a cookie for session information, but still...

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
fascistmuffin
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 30, 2011, 06:14:56 AM
 #12

Here, this one will log you out of a regular gmail account. <img src="https://mail.google.com/mail/?logout&hl=en" />
I decided to remove it so everybody doesn't get mad at me.

Time to start to troll other forums with that as the sig image.  Grin

But in all seriousness, I'm surprised Google falls for this. I always imagined they were mostly on top of web design best practices and security.
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
June 30, 2011, 12:37:17 PM
 #13

Here, this one will log you out of a regular gmail account. <img src="https://mail.google.com/mail/?logout&hl=en" />
I decided to remove it so everybody doesn't get mad at me.

Time to start to troll other forums with that as the sig image.  Grin

But in all seriousness, I'm surprised Google falls for this. I always imagined they were mostly on top of web design best practices and security.

Some functions are harmless, like log you out. To the worse what would happen is you to have to login again.
You can prevent that with a token, eg: ?logout&hl=en&token=23nikhu so his image wouldn't do nothing missing the token (that should be something random)
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!