Popular Home DSL Routers At Risk Of CSRF Attack - DarkReading

Most of the people I talk to feel like their home environment for computing is 'safe'. The ones that feel MOST secure tell me how they're behind a router, so there is no way for them to be attacked. hmm, maybe they should read the paper below! In it a research has shown how a home router can easily be worked around by using an old technique called cross site request forgery (CSRF)

(Cross-Site Request Forgery) An online forgery that requires knowledge of which Internet-based institutions a person deals with. It is used to steal money or obtain valuable data such as credit card numbers. Also called an "XSRF," "sea surf" and "confused deputy attack," the CSRF is embedded in a fake link or bogus script on a Web page. In either case, the browser executes a malicious transaction such as a wire transfer to the cybercrook's bank.

The CSRF exploit only works if the user is already logged onto the institution's Web site that is being targeted or has recently logged on, in which case a stored cookie used for authentication may still be active.

Today's exploit is described as

A CSRF attack on a DSL router could be launched from a social networking site, Hamiel says, using an image tag on a MySpace page, for example. 'Everyone who viewed my MySpace page with AT&T DSL and the Motorola/Netopia DSL modem would be owned,' he says."

Popular Home DSL Routers At Risk Of CSRF Attack - DarkReading: