Background

Cross-Site Request Forgery (CSRF), also known as “Sea Surf,” Session Riding, Hostile Linking, or one-click attacks, is a prevalent web security vulnerability that exploits users’ trust in websites to execute unauthorized actions. In a CSRF attack, an attacker tricks a victim into unwittingly performing actions on a trusted website. This is typically achieved by enticing the victim to click on a URL or image embedded in a message on social platforms or other online channels. 

Once the victim interacts with the malicious link or image, the attacker can execute various actions on the victim’s behalf without their knowledge. This poses a significant threat as CSRF attacks can manipulate the victim’s session on the targeted website, allowing the attacker to perform actions as if they were the victim.

CSRF attacks predominantly exploit websites lacking mechanisms to distinguish between legitimate user requests and unauthorized ones generated without user consent. These attacks typically aim to execute state-changing actions, such as modifying email addresses, altering passwords, or initiating unauthorized fund transfers.

Real-World CSRF examples

Several noteworthy instances of CSRF vulnerabilities have been identified in the past, prompting remedial actions from affected organizations. For instance, in 2008, ING Direct, a Dutch-based multinational banking group, faced a CSRF vulnerability within its banking website, enabling attackers to execute fund transfers from users’ accounts without their consent. Similarly, in the same year, the uTorrent website experienced a CSRF attack, resulting in the widespread distribution of malware through downloads.

In 2014, McAfee’s website was found to be susceptible to CSRF attacks^[1], which allowed malicious users to tamper with other users’ accounts. Furthermore, in 2020, TikTok encountered a CSRF vulnerability^[3], enabling attackers to distribute malware-laden messages to unsuspecting users. Subsequently, once the malware was deployed, malicious actors could initiate requests from the compromised accounts on behalf of the users. These incidents underscore the importance of promptly addressing and rectifying CSRF vulnerabilities to safeguard user data and mitigate potential risks.

Mitigation Mechanism

As per the OWASP community guidelines on ‘Cross-Site Request Forgery Prevention,’ the foremost and widely endorsed approach to mitigate CSRF attacks involves the utilization of CSRF tokens, alternatively termed as ‘synchronizer tokens’ which are generated server-side. These tokens are securely generated secrets, characterized by high unpredictability and uniqueness per request for each user. Upon each request, the validity of these tokens is verified, and their values are cross-checked to ensure authenticity. If an expired token or a mismatch in token value is detected, the request is promptly aborted, thereby preventing the execution of unauthorized actions.

Security Protocols at Eventbrite

Security team at Eventbrite is responsible for all aspects of information security across the organization. Comprising seasoned security professionals, this team is committed to conducting thorough security assessments and setting stringent security protocols. 

Shielding against CSRF

One such measure includes the implementation of a robust CSRF token mitigation system.  In 2016, server-side CSRF protection was enforced to all HTTP requests across the website at Eventbrite. A unique, unpredictable token is generated along with each action which effectively safeguards our website against CSRF attacks. 

Additional line of defense – Admin Portal

To enhance our website’s defense against CSRF attacks, as a part of their routine, thorough checks, our security team detected a potential vulnerability  in the present CSRF protection. This came to light when we encountered an attack that exploited the re-use of a CSRF token to execute a harmful action, changing an admin user’s password. 

To address this priority concern, we implemented an additional layer of security exclusive for our internal admin portal. The initial step involved restricting HTTP requests solely to the admin portal subdomain, ensuring they originate from the same source. This effectively limits cross-origin access to the admin subdomain. Furthermore, we introduced an enhanced approach to CSRF token generation exclusively for admin portals, ensuring tokens are more unique and secure. These tokens are now form-specific and generated for every submit action within the admin portal.

In this comprehensive approach, we’ve strictly prohibited calls across domains that attempt to utilize CSRF tokens originally generated from the customer-facing domain to access the admin subdomain. This bolsters the efficiency of our security measures further enhancing our defense against potential threats. 

References:

1. Blatz, Jeremiah. CSRF: Attack and Defense. 2011. 21 February 2013 . 
2. OWASP. Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet. 21 October 2012.
3. https://learn.snyk.io/lesson/csrf-attack/
4. https://research.checkpoint.com/2020/tik-or-tok-is-tiktok-secure-enough/