The New York Times 2008 CSRF
The New York Times 2008 CSRF Attack
In 2008, The New York Times website was found to be vulnerable to a CSRF (Cross-Site Request Forgery) attack, allowing attackers to unsubscribe users from the email newsletter without their consent.
Below one is another attack. Both attacks were CSRF-based vulnerabilities, but the Email This attack leaked user data, whereas the Unsubscribe attack only altered preferences. The "Email This" attack had a higher security impact because it exposed personal information. π¨
What Was the Vulnerability?
- The New York Times had an unsubscribe feature that used a simple GET request to remove users from their email list.
- No CSRF tokens or authentication were required to verify if the user actually intended to unsubscribe.
- Attackers could force users to unknowingly unsubscribe by embedding malicious links in third-party websites.
How Did the Attack Work?
-
User Was Logged into The New York Times
- The victim had an active session with The New York Times and was subscribed to newsletters.
-
User Visited a Malicious Website
- The attacker hosted a malicious webpage containing an image tag (
<img>) or an invisible iframe (<iframe>). - The webpage automatically sent a forged request to The New York Times.
- The attacker hosted a malicious webpage containing an image tag (
-
Malicious Unsubscribe Request Sent
-
The malicious site silently executed:
<img src="https://www.nytimes.com/unsubscribe?email=victim@example.com"> -
Since the victimβs browser automatically included their authentication cookies, The New York Times processed the request as if the user had manually unsubscribed.
-
-
The User Was Unsubscribed Without Consent
- The victim had no idea that they were removed from the newsletter.
Why Was The New York Times Vulnerable?
-
No CSRF Tokens Used
- The unsubscribe request did not require a CSRF token, making it easy to forge.
-
GET Requests Modified State
- Actions that change user data should never use GET requests.
- The website should have used POST requests with CSRF protection.
-
Cookies Were Automatically Sent
- Since the request was same-origin, browsers automatically included session cookies, making the forged request valid.
Impact of the Attack
- Users were silently unsubscribed from The New York Times newsletters.
- The attack could be automated, affecting thousands of users quickly.
- If extended, this method could have been used for more harmful actions (e.g., account modifications).
How The New York Times Fixed It
β Implemented CSRF Tokens:
- Now, users must submit a unique CSRF token with every unsubscribe request.
β Switched from GET to POST Requests:
- The unsubscribe action now requires a POST request instead of GET.
β Added Confirmation Steps:
- Users now need to confirm their action via a confirmation page before unsubscribing.
β Implemented SameSite=Lax Cookies:
- This prevents cookies from being automatically sent in cross-origin requests.
Lessons from The New York Times CSRF Attack
πΉ Always require CSRF tokens for state-changing requests.
πΉ Use POST, not GET, for sensitive actions (e.g., modifying user settings).
πΉ Confirm user actions before executing irreversible changes.
πΉ Monitor unusual traffic patterns to detect CSRF attempts early.
The 2008 New York Times CSRF attack showed how even simple features like an unsubscribe button can become a security risk if not properly secured. π