mrb's blog

How I Defend Myself Against CSRF (and That New Type of Phishing Attack)

Keywords: attack csrf security web

Imagine the following scenario. You are browsing the web and have multiple open browser tabs. You need to check your emails and remember that you had the Gmail page open earlier. You quickly scan the list of tabs, looking for the familiar Gmail favicon and page title, click on it, and see the Gmail login page. Your session probably timed out, so you provide the credentials and log in. Pwned! The attacker just stole your password.

What happened? This is a new type of phishing attack that Aza Raskin describes today on his blog. Basically one of the tabs was the attacker's website that you were enticed to visit. It was a typical non-malicious looking web site (not the Gmail page). Javascript code detected that the page did not have the focus and had not been interacted with for a while. At which point it surreptitiously replaced its favicon, page title, and page content with a Gmail page look-alike. Many of even the most savvy users could fall for this trick. All it takes is a moment of forgetfulness. A moment where you forget to double-check the URL before submitting private information.

As an information security professional, I am paranoid by nature. I am glad to realize that the way I have been browsing the web for the past few years already protects me against this type of phishing attack. My paranoia finally pays off :-) I have 2 browsers. I use browser A for my general needs, and browser B only for my important authenticated sessions: my webmail, bank, broker, etc. Also, I only have one tab open at a time in browser B, and I always log off before opening another site in this tab. If I were to see a Gmail page in browser A, amongst my myriad of other tabs, it would immediately raise a red flag.

But the reason I have been browsing this way was not originally to protect me against this specific type of phishing attack. After all, I only learned about it today! I follow this strict habit in order to defend myself against CSRF vulnerabilities —one of the biggest and most overlooked class of web security vulnerabilities in my opinion. As a matter of fact, Gmail itself was vulnerable to CSRF at least 2 times in recent history (January 2007, March 2009). This is why in only have one tab open at a time in my second browser. No other site open means that no other site can perform a CSRF attack against my authenticated session. The two browsers help me make this strict procedure much less painful, as I can visit as many unauthenticated sites as I want in the other one. Of course I may sometimes visit authenticated sites in the latter, but only if I consider them unimportant, ie. if I consider it a non-issue to have my credentials stolen via CSRF.

Comments are welcome. I would love to hear ideas to make browsing more secure.


bob wrote: Wouldn't this be a non-issue if you always closed and reopened a page that asked for your credentials?

So you click on a gmail tab (that's not really a gmail tab) and see that it wants you to login. You close the tab, click on your gmail bookmark (or enter it on the address bar) and go from there?

Am I missing something with this technique?

interesting writeup, thx,
26 May 2010 14:58 UTC

mrb wrote: Yes, what you suggest would protect you from this new type of phishing attack.

But it would not protect you from CSRF attacks.
26 May 2010 23:31 UTC

louismacklin wrote: Thanks marvelous posting! I will make sure to bookmark your blog and definitely will come back at some point.
buy e currency online
29 Jun 2015 11:26 UTC