The site allowed attackers to “recommend articles with commentary [and] they could capture e-mail addresses,” Felten said in an interview.
Because the website keeps members logged in for longer than most websites, he explained, members remained susceptible to security breaches long after they had navigated away from the site.
The vulnerability arises from the “e-mail this” feature, which makes user e-mail addresses available to the attacker, according to the report.
An attacker can remotely take advantage of the flaw by determining that a user has left the webpage without logging out and then returning to the page to access that account as if he were the user.
“We take the security of our site and our users very seriously and act quickly to address any vulnerabilities,” a Times spokeswoman said in a statement to cnet.com, a technology news website. “The issues outlined in the report have been resolved.”
The flaw also affected the websites of YouTube, ING Direct and the blog MetaFilter and is potentially found on many other sites.
Though YouTube, ING Direct and MetaFilter fixed their sites last year almost immediately after being notified by the two researchers, the Times did not initially address the problem, Zeller said.
Felten and Zeller wanted to give the websites notice of the flaws before publishing the research, Zeller explained, noting that the Times did not respond in time for their publication date. The last notification sent to the Times was in September 2007, Zeller said.
MetaFilter, on the other hand, fixed its site within two days of being told about it, Zeller said.
“It was just about the nicest way imaginable to be notified of a security hole,” MetaFilter founder Matthew Haughey said in an e-mail. “[Zeller] ... explained to me how he got access and how he took over another account.”
Haughey said he was able to “fix it up quickly and provide a long-term solution that has kept the site secure long after this momentary breach” with Zeller’s help.
“The bottom line is that the sorts of websites you log into and interact with ... have to be designed carefully,” Felten said.
Felten, also the director of the Center for Information Technology Policy, noted that a YouTube member who remained signed in was particularly vulnerable to a wide range of actions.
“An attacker could have added videos to a user’s ‘Favorites,’ add himself to a user’s ‘Friend’ or ‘Family’ list, sent arbitrary messages on the user’s behalf ... automatically shared a video with a user’s contacts [and] subscribed a user to a ‘channel,’ ” according to the report.
YouTube spokesman Chris Dale declined to comment on the specific details of the breach but said that “YouTube is committed to identifying and closing any security holes discovered on the site and preventing similar attacks from happening in the future.”
On ING’s site, if a user logged in and then moved to another site, a hacker could have conceivably transferred money out of the member’s account, Felten said.
Because the user remained logged in, ING would not know that the sender of a request was not in fact the user in question, Zeller explained.
ING could not be reached for comment.
Though the four sites mentioned in Felten and Zeller’s paper have been fixed, Felten noted that he and Zeller “believe that a lot of websites are vulnerable to these attacks.”
Felten said that website administrators need to be proactive about cyber security.
“Unless the website does something to protect themselves, they’re vulnerable,” he said.
Read More
Economics professor Kate Ho passes away after long battle with cancer
Devon RudolphProfessor Kate Ho made seminal contributions to the economics of modeling competition in the healthcare sector and taught well-loved courses in industrial organization.
Professor Kate Ho made seminal contributions to the economics of modeling competition in the healthcare sector and taught well-loved courses in industrial organization.
Pedestrian left in critical condition after traffic collision on Nassau Street
Luke GrippoThe pedestrian was struck by a westbound 2015 Ford Explorer around 11:32 p.m. The driver was identified in the press release as a 39-year-old Princeton resident who cooperated with officers upon their arrival.
The pedestrian was struck by a westbound 2015 Ford Explorer around 11:32 p.m. The driver was identified in the press release as a 39-year-old Princeton resident who cooperated with officers upon their arrival.
Senior class jacket abruptly changed following accusations of AI design
Vitus LarrieuFor more than a century, Princeton seniors have donned “beer jackets” to protect their clothes during Reunions and commencement celebrations, typically with elaborate designs chosen by a class-wide contest. Now, with a selection process marred by accusations of generative AI use, the Class of 2026 may have written its own spot in Princeton history.
For more than a century, Princeton seniors have donned “beer jackets” to protect their clothes during Reunions and commencement celebrations, typically with elaborate designs chosen by a class-wide contest. Now, with a selection process marred by accusations of generative AI use, the Class of 2026 may have written its own spot in Princeton history.