Task 1 of 4

The Forum Post That Transferred Money From Your Bank Account

In 2008, a vulnerability researcher demonstrated a CSRF attack against a major bank. He posted a message on a public forum that contained a hidden image tag. When logged-in bank customers visited that forum, their browsers automatically sent a request to the bank's transfer endpoint — silently moving money to an attacker-controlled account. The customers never clicked anything. They just read a forum post.

CSRF sits in a category of attacks that feel almost unfair: the victim does everything right. They log in securely. They never share their password. They browse normally. And they still get attacked — because their browser is being used against them.

WHAT CSRF HAS BEEN USED TO DO IN THE REAL WORLD
Change account email addresses
Victim visits a malicious page → their account email is silently changed → attacker requests a password reset to the new email → account taken over
Transfer money
Victim visits a page → a hidden form submits to their bank's transfer endpoint → funds move to attacker's account → victim has no idea until they check their statement
Add attacker as admin
Victim is a logged-in admin → visits a malicious link → a hidden request adds the attacker's account to the admin group → permanent backdoor
Delete accounts or data
Victim visits a page → a hidden request triggers a destructive action (delete account, wipe data) → irreversible
Change router passwords
Home routers often have no CSRF protection. Victim on their home network visits a page → router admin password changed → attacker can reconfigure the router remotely

The victim does nothing wrong

This is what makes CSRF genuinely insidious. Unlike phishing, the victim does not hand over their credentials. Unlike malware, nothing is installed. The attack uses the browser's legitimate behaviour — sending cookies automatically — against the user. The entire burden of prevention falls on the website developer, not the user.

1

In a CSRF attack, the victim does not click any suspicious link or enter their password. How does the attack still succeed?

Answer all 1 question to continue