Don't Let Bad Guys Pose as You

Flaws let attackers trick a Web site into providing your personal information.

Like
a con artist who disguises himself as you so he can walk unmolested
into your office building, a small but growing type of online threat
takes advantage of Web site programming flaws to try to access your
online accounts. Google
recently fixed such a flaw that malefactors could exploit to steal a
Gmail user's full contact list. The threat used the arcane-sounding
"cross-site request forgery" (CSRF) strategy. The ploy is similar to
cross-site scripting (XSS) attacks, in which attackers booby-trap a
trusted site by rigging it with links that take the visitor to
malicious destinations. But whereas XSS attacks exploit the trust that
a user has for a site, CSRF attacks exploit the trust a Web site has
for a user, according to WhiteHat Security chief technology officer
Jeremiah Grossman. Once you are logged in to a Web site, it trusts all requests that come from your browser. So CSRF forgeries simply tri