[WEB SECURITY] Cross Site Identification (CSID) attack. Description and demonstration.

Ronen Z ronen at quaji.com
Wed Jan 13 10:37:57 EST 2010


A new type of vulnerability is described in which publicly available
information from social network sites obtained out of context, can be used
to identify a user in cases where anonymity is taken for granted.

This attack (dubbed Cross Site Identification, or CSID) assumes the
following scenario: A user that is currently logged on to her social network
account visits a 3rd party site, supposedly anonymously, in another browser
tab. The 3rd party site causes her browser to contact the social network
site and exploit the vulnerability resulting in her identity being disclosed
to the attacker. The 3rd party target site is not necessarily controlled by
the attacker. It could also be, for example, any site allowing user provided
content that includes an image link (basically any forum or blog site).
Other possibilities exist.

While the information that is received by the attacker is technically
publicly available, obtaining it in this manner effectively lifts the veil
of anonymity from the user when interacting with the 3rd party site.

Three social networks were tested and all were found to contain the
vulnerability. These are Facebook, Orkut and Bebo. Some of the
vulnerabilities were design flaws. The vulnerabilities are described and
demonstrated. The sites were contacted in advance yet some of the
vulnerabilities are still open.

CSID is not bound only to social network sites but might be found on any
site that authenticates its users. Various flavors of the attack are

The post below contains a detailed description of the attack and its
implications. It also includes details about the live vulnerabilities found.

Post/White Paper:

Ronen Zilberman

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100113/aecb4c3d/attachment.html>

More information about the websecurity mailing list