4

Websites like SuperLogout logs the user out from several websites at one go. I want to know in what way does this pose a potential threat to the users of the website?

How can this be combined with a phishing attack? And any other potential threats?

Anders
  • 64,406
  • 24
  • 178
  • 215
bane19
  • 143
  • 2

4 Answers4

4

The only threat I see there is someone logging a user out by CSRF to force the victim to enter his credentials again. But this would only be useful if the attacker had a way to capture the credentials. This would require one of these possibilities:

  • The attacker has found a XSS weakness in the targeted website that allows extraction of credentials by changing the action attribute of the form for example
  • The attacker is able to perform a MITM attack on the victim and the targeted website does not support SSL so the credentials can be captured in cleartext
  • The attacker has direct access to the clients PC and has installed a keylogger which will then capture the credentials

In most cases CSRF logout won't be a serious threat at least not compared to other vulnerablities that can be found in many webapplications.

davidb
  • 4,285
  • 3
  • 19
  • 31
3

It's potentially a DOS attack, though only for some very specific scenarios. If Alice wants to give Bob access to her Netflix account, but doesn't want to reveal the password she can login to Netflix on Bobs computer. If Bob visits MaliciousLogoutSite.com, he'll get logged out of Netflix even though he didn't intend to.

There's also some potential for interrupting users. If Alice is watching a movie on Netflix, then casually browses to MaliciousLogoutSite.com, she'll get logged out of Netflix, stopping the movie.

For Netflix, this is a minor annoyance, but what if Alice is logged into a stock trading site, and Bob wants to prevent Alice from buying or selling a stock at a critical moment? All Bob has to do is sent Alice a link to a website that logs her out of her trading account, and she has to log back in again.

I don't know of any reason why a logout action shouldn't be protected from CSRF actions, but I haven't thought about it that deeply.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • Thanks! Isn't it possible to redirect the victim into the attackers own fake login form and then capture the credentials ? – bane19 Oct 06 '15 at 07:21
2

No potential threats yet. It helps if you want someone to force login.

But there is a case. When you find a stored xss or you allow images from external sources in your website page with good number of viewers(such as home page) . You can use it for denial of service attacks

haseeb
  • 151
  • 8
0

The LostPass PoC showed the damage that could be done via logout CSRF.

As LastPass runs as a browser extension, once the logout CSRF was performed, the icon in the browser confirmed that the user had been logged out, providing confirmation to the user that the login form displayed was indeed from LastPass and that the user should then proceed to login using the form.

This exploit shows how a logout CSRF attack can be combined with a phishing attack, and is not only used for DoS attacks that simply cause inconvenience to the user.

Also see this related answer.

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178