A secure democratic Net is a fundamental right

1. ING Direct (ingdirect.com)

Status: Fixed

We found a vulnerability on ING's website that allowed additional accounts to be created on behalf of an arbitrary user. We were also able to transfer funds out of users' bank accounts. We believe this is the first CSRF vulnerability to allow the transfer of funds from a financial institution. Specific details are described in our paper.

source

comment

This CSRF trouble has for the moment only made headlines because it has been shown to work in video and social websites but without any financial problems. This is the case here because money has been transferred. The other thing with CSRF and all the other web2.0 security problems is that when you read some books about it, it all becomes so depressing because there are so many ways to use it and so many things to check. You can start by closing all the obvious loopholes and than use the attack tools to test if there are others, but in the end if there is money involved you will need an ethical hacker to think and act like a hacker/attacker. In the end it is a human attacker that stays trying untill it finds the stuff nobody thought about before which is exactly the way CSRF attacks came about.

Just a reminder for our Belgian friends, testing this without the explicit approval of the owner of the site is a crime in Belgium.

We said last week that Belgian banks were becoming safer, sorry for our naivite, we wanted to believe them. honestly we would be so happy if we could believe and go back home and play with my computer instead of writing this stuff