March 20th, 2008

Not scared about Cross-Site Request Forgery? You should be... you're scared of jail aren't you?

Posted by Nathan McFeters @ 5:59 pm

Categories: Browsers, Exploit code, Hackers

Tags: Child Pornography, Law, Government, Nathan McFeters

Robert Hansen aka R-Snake has posted a very interesting article today over at his blog. As R-Snake states:

Whelp, we’ve talked about it, but now it’s finally possible. CSRF can now cause jail time. The FBI has begun arresting people who click on links to supposed child pornography. Now, I understand the noble pursuit, but there’s a fairly huge flaw in the old logic. I can force users to click on links anytime I want. Now here comes some interesting CSRF technology grey area. The authorities might, reasonably say, “The referrer doesn’t match.” Okay, well that’s what our good friend META refresh is for. I can force you to click on things without leaving a referring URL at all.

So now the real question is would a user with no referring URL be worthy of investigation?

I agree completely with R-Snake on this topic. While I would love taking down those trying to view child pornography, I think we should all be scared of a world where someone can simply force you to view a page through CSRF and possibly get you arrested for a very serious crime. It seems like with each new law related to technology, I get more and more scared of even using the internet. You have laws come up like this that just put people at risk of being wrongly implicated, and then you have regulatory laws and standards like PCI that are just so ambiguous it really gives companies an out to say “We did everything you told us to!” and leave their web applications grossly insecure (specifically here I’m talking about the pentesting clause which is so ambiguous, who knows if the company has actually met the mark or not).

Thanks to R-Snake for jumping on top of this and pointing this out, this is hugely important. At some point, law enforcement and the government is going to HAVE TO START TALKING TO THE SECURITY PROFESSIONALS because they are making such poor decisions with regards to laws, none of us are safe.

-Nate

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.