I was wondering if CSRF attacks works through images...

[Chick]

Since your browser goes the page itself to fetch the image for you to see I'm just curious if this would work.



Oh, thats cool, it really does log me out of Google. LOL, take a look at the url yourself.

[qed]

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

[Chick]

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

Yes, but your browser sends a http request to the url.

[qed]

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

Yes, but your browser sends a http request to the url.

But, but...

Not working + spam thread => Big fail.

[bluefirecorp]

What the hell, it DOES work.

Logged me outta my google account, I use windows 7 ult with google chrome
0.0

[BCEmporium]

Yes it DOES work, it's a matter of the REQUEST not the RETURN.

If you're logged in to www.xpto.com

and get into the xpto.com's attacker site www.scammerzR.us a fake image from scammerzR.us can make you perform some request at xpto.com.
Let's say, www.xpto.com's creator is lousy coder, to withdraw btc all you've to do is call withdraw.php?amount=10&addr=bitcoinAddress...
An image at scammerzR.us pointing at <img src="http://www.xpto.com/withdraw.php?amount=all&addr=scammerzRusAddress" /> would make you transfer all from your account to his.

CSRF is however a veryyyyyyyy long shot attack, the attacker has to have a reason to believe you may be logged in to the target site to input that sort of code. Normally this works better against sites like Facebook where even if currently you're not there you may have an auth cookie.

[qed]

Yes it DOES work, it's a matter of the REQUEST not the RETURN.

If you're logged in to www.xpto.com

and get into the xpto.com's attacker site www.scammerzR.us a fake image from scammerzR.us can make you perform some request at xpto.com.
Let's say, www.xpto.com's creator is lousy coder, to withdraw btc all you've to do is call withdraw.php?amount=10&addr=bitcoinAddress...
An image at scammerzR.us pointing at <img src="http://www.xpto.com/withdraw.php?amount=all&addr=scammerzRusAddress" /> would make you transfer all from your account to his.

CSRF is however a veryyyyyyyy long shot attack, the attacker has to have a reason to believe you may be logged in to the target site to input that sort of code. Normally this works better against sites like Facebook where even if currently you're not there you may have an auth cookie.

Not working for me on google. If it does work for www.xpto.com it plain means it is an awful site.

[Klestin]

It will only work on sites which take an action on a GET, since images are always a GET and not a POST.  So, rule number 1 of site design is to never do anything destructive on a GET.  In general, logging out is about the worst you can do to someone on a reputable site.

[cmh]

If it doesn't work for you, see if you are really logged into a "google accounts" account. It won't log you out of a regular gmail account.

[cmh]

Here, this one will log you out of a regular gmail account. <img src="https://mail.google.com/mail/?logout&hl=en" />
I decided to remove it so everybody doesn't get mad at me.

[DamienBlack]

That is crazy. So when all the sites had CSRF vulnerabilities, we could have all been hijacked with imbedded images that we never see. Just browsing the forum was dangerous. I guess most CSRF exploits read a cookie for session information, but still...

[fascistmuffin]

Here, this one will log you out of a regular gmail account. <img src="https://mail.google.com/mail/?logout&hl=en" />
I decided to remove it so everybody doesn't get mad at me.

Time to start to troll other forums with that as the sig image. 

But in all seriousness, I'm surprised Google falls for this. I always imagined they were mostly on top of web design best practices and security.

[BCEmporium]

Here, this one will log you out of a regular gmail account. <img src="https://mail.google.com/mail/?logout&hl=en" />
I decided to remove it so everybody doesn't get mad at me.

Time to start to troll other forums with that as the sig image. 

But in all seriousness, I'm surprised Google falls for this. I always imagined they were mostly on top of web design best practices and security.

Some functions are harmless, like log you out. To the worse what would happen is you to have to login again.
You can prevent that with a token, eg: ?logout&hl=en&token=23nikhu so his image wouldn't do nothing missing the token (that should be something random)