Unique Benefits To Attract And Retain Strong and Diverse Candidates

Preface: I’m not a lawyer. Consult a tax and/or employment law attorney before implementing any new benefits. You can also check out the IRS guidelines to how fringe benefits are taxed. 

Being a startup is tough. Sometimes you don’t have enough cash, or time, but you need the best people possible to build up your product and make sure you are competitive. We’re always trying to think of ways to reward our employees without breaking the bank, while also showing how much they matter to us and how much we value them.

The biggest cost we face is losing an employee. When an employee leaves, we lose some of the knowledge that they have. Even if we’re great at documenting that institutional knowledge, we’re never perfect. Even interns at Tinfoil often work on big-picture, large-scale projects that affect the whole business. 

We have spent a lot of time exploring standard and fringe benefits, assessing how they can affect employee happiness. We also believe that people of differing backgrounds add different perspectives, leading to a stronger company and a stronger set of products. These benefits help us recruit a diverse company, with many of our current employees being LGBTQ+, international, or women. Other security companies struggle to find diverse candidates (e.g., cybersecurity is comprised of only 14% women). We feel like we’ve started down a good path.

Outlined below are some of the benefits we’ve tried in the past, or currently have in place, along with the advantages and pitfalls you might encounter.

Background

We’re a 7+ year-old company, based in the San Francisco Bay Area. We raised a seed round in 2011, but are currently profitable and have not needed to raise a Series A. Many of these benefits were implemented before we hit profitability, and ramped up slowly so people remain excited about what is next.

Healthcare

Overview

Healthcare, vision, and dental were required benefits when we started Tinfoil. Our first employee wouldn’t have joined without them.

Amount we put toward benefit

  • 85% of a base plan for medical (typically, the best gold we can offer). Employees can get $0 premiums by choosing a less robust plan. 
  • 100% of vision.
  • 75% of dental.
  • Dependent coverage of 50% (for all of the above)

Why?

We didn’t want to cover 100% of the best plan we could, because we prefer folks have some skin in the game and pick the plan that’s most appropriate for them, rather than just picking an expensive one they don’t need or won’t use. We also wanted to make sure that we could help cover the cost of dependents. We didn’t want to cover 100%, in order to make sure we really were better than the healthcare offered by their spouse’s plan (if their spouse’s employer provided healthcare).

Benefit to employees / company

The benefit to employees is obvious, but companies also benefit from healthy and happy employees. Healthcare can affect one’s financials, and if an employee is worrying about their finances, that’s time they’re not spending focused on the company.

Who it affects

Every employee

Pitfalls

If you don’t pick a good enough plan, or if you don’t cover enough, some employees may not feel comfortable joining your company.

Employee response

We’ve never had any issues with the amount we cover, but we have had some issues with the provider we pick. We were using Anthem and our employees chose to cut back the % we cover (though it would cost them more) to have a more reliable provider whenever we had to submit for out-of-network costs. We ended up with Blue Shield and had more profit the following year, so brought the employees back to 85% coverage (from 75%).

Anything else to watch out for

Be attentive to your employee’s health. You can’t ask how healthy they are, but if they mention they’re concerned about covering healthcare bills, be proactive in helping them fix the issue.

FSA (Flexible Spending Account)

Overview

An FSA is a Flexible Spending Account. Employees can put money into this account, pre-tax, and use the money on healthcare related items. At the end of the year, any leftover money can be rolled over into the next year (if your plan allows a rollover) up to a maximum amount. Anything that’s unable to be rolled over is forfeited to the company.

Amount we put toward benefit & Why

We added an FSA for one year, allowing for up to a $500 rollover (the maximum federal allowance). We cut it because so few people used it, and those who put money in didn’t end up using it.

Benefit to employees / company

This is a benefit that allows employees with high or consistent medical expenses to pay for those expenses pre-tax.

Who it affects

All employees, except founders and highly compensated individuals (generally those making $120k salary, or those owning 5% or more of the company, but there is a whole list of stipulations defining highly compensated individuals; again, talk to an attorney for further assistance).

Employee response

Some employees were excited to get their glasses pre-tax, but our team happens to be generally healthy. Few employees put money into their FSA, and those that did didn’t use the full amount in it. 

Family Planning Assistance

Overview

We provide assistance for family planning, including egg freezing, IVF, adoption assistance, surrogacy, sperm freezing, vasectomies, etc. The benefit needs pre-approval by the founders / HR ahead of time, though we would like to get a good automated system set up.

Amount we put toward benefit & Why

$5k/year with a $25k lifetime max

Benefit to employees / company

This allows any of our employees to build their personal and family lives any way they see fit.

Who it affects

All employees

Pitfalls

You have to tread lightly when it comes to reproductive health, and you can’t ask for proof of use of this benefit, which is why external platforms are helpful to implement. We also highly recommend only executives or HR receive approval requests to avoid any potential discrimination.

Employee response

Our employees were surprised when we added this benefit, and it led to a lot of interesting debate. From that debate, we added coverage for things like sperm freezing, vasectomies, etc. We also leave our policy open to be modified at any point in time, and keep our doors open for any benefit suggestions.

It has been great for LGBTQ+ and female recruitment. Even if somebody doesn’t end up needing it, they appreciate that there is a support system set up for them and others like them.

Anything else to watch out for

There are many reasons why companies implement this benefit. If your intent is to delay motherhood or get women to work longer, you’re setting yourself up for a toxic culture. You also have to be careful about how you message these benefits, so that the intent is not misconstrued.

You can also consider covering additional allowances for services beyond the norm. For example, you may discuss whether or not to cover the FDA approval process for egg or sperm donation. Going through this process allows employees who never use their eggs or sperm to donate them to a friend, family, or other person in need. There are other caveats like this that you’ll want to consider and decide whether to include, and whether to add additional funding toward them.

There are a lot of platforms to help you with family planning assistance to avoid some of the legal headache of managing reimbursement for health. Unfortunately, we found most were cost-prohibitive for us and didn’t cover everything we wanted to cover.

Sadly, this is a taxable benefit. Your employees can submit it as a healthcare expense on their tax returns to hopefully recoup some of what is lost with the initial benefit payment.

Charity Match Program

Overview

One of our values at Tinfoil is community. We believe in making sure we support our values and any community our employees are a part of. As such, we’ve established a charitable donation match program. 

Amount we put toward benefit & Why

We match up to $1,000, annually, in charitable donations made by an employee.

Benefit to employees / company

This allows our employees to support causes they care about and shows our support for them and their beliefs.

Who it affects

All employees

Pitfalls

We once did a fundraiser at a conference where, for each badge we scanned, we bought a meal for the homeless. One person (out of the thousands we spoke with) said that giving to the poor causes them to stay poor forever. Though we could debate this topic forever (especially given that we were donating meals rather than cash), there will always be somebody who doesn’t believe in giving to charity. That’s ok.

We implemented this through our benefits and payroll provider, Gusto, which helped to make sure that the giving by our employees is anonymous. Gusto knows how much they donated, and matches it for us, but we don’t need to know, and we prefer it that way. Employees are free to support any cause they believe in, and we will match it, as long as it is a 501(c)(3) nonprofit.

Employee response

Not every employee takes advantage of this benefit, but those that do, love it. The response, in general, has been really positive, and people like the fact that we ‘put our money where our mouth is’ with regard to supporting the community around us.

Fitness Reimbursement

Overview

Healthy employees are happy employees. We encourage folks to regularly exercise, and will reimburse for any exercise class, including gym memberships, dance classes, exercise classes, Brazilian Jiu-Jitsu, etc.

Amount we put toward benefit & Why

Up to $80 of expenses spent each month.

Benefit to employees / company

We all get healthy! When an employee starts exercising, we’ve seen their productivity increase significantly within weeks. We also love when they become passionate about a new hobby and can teach everybody in the office something new.

Who it affects

All employees

Pitfalls

Some companies only cover the cost of gym memberships. This limits who can use the benefit. Open it up to include lots of different sports and hobbies!

Anything else to watch out for

We have an attendance requirement for this benefit. You must print out your attendance or have your instructor / trainer sign off that you’ve attended at least 4x/month or 75% of offered classes, whichever is lower. This allows some employees taking a 1x/week class to attend 3 classes a month and still get reimbursed. There is flexibility on this policy if you’re traveling for work and can’t attend your usual classes or gym.

This is a taxable benefit, so make sure you’re tracking it correctly. Talk to an attorney.

Long Term Disability

Overview

It’s important to remember that not everybody is healthy and if one of your employees does have a lasting illness like MS, debilitating cancer, etc., they should still be supported somehow. Long term disability insurance allows your employees to receive a portion of their salary if they’re unable to work again.

Amount we put toward benefit & Why

We cover 100%. It’s a reasonably affordable benefit, but really gives us the ability to support our employees in the case of an unforeseen, disastrous event.

Benefit to employees / company

This gives us all peace of mind, and allows us to focus on the big picture of the business, rather than worrying about our personal life and finances.

Who it affects

All employees

Employee response

Employees who have had family members with debilitating illnesses at any point in their lives appreciated being given LTD.

Anything else to watch out for

We don’t do short term disability (STD), because CA-provided STD is better than anything we can buy. As we expand our employee base outside of CA, we’ll consider adding short term disability.

Fun Items to Check Out

Overview

To prevent burnout, we want to encourage people to go out and do fun things outside of work. We’ve started to purchase small things for the office that employees can check out for the weekend or a short period of time. Examples include an ice cream machine and inflatable kayak (+ life jackets + paddles). 

Amount we put toward benefit & Why

There’s no set amount, but as we have started to add items we have started to keep track of them.

Benefit to employees / company

This allows employees to use something they could buy themselves, but would rarely use. 

Who it affects

All employees

Pitfalls

Make sure you have waivers for specific items, and a sign out / return sheet. Each item must be signed out and, if it isn’t returned, it must be replaced by the employee. Accidents happen, so if an item breaks we are lenient and don’t make the employee replace the item. Most things are under $100 on Amazon, so they’re easy and quick to replace.

Employee response

Some things are rarely checked out, and some things are checked out regularly. It’s nice to have a variety of items to offer.

Educational Stipend

Overview

One of our values is curiosity. My co-founder and I started Tinfoil with the goal of wanting to learn something new every day, and this is one way we can help our employees achieve that goal for themselves. 

Amount we put toward benefit & Why

We provide up to $5,000, annually, for furthering education. This must be manager approved, relevant to your work (though it can be a broad application), and must be paid back, on a prorated basis, if you leave within one year of the end of the training.

Who it affects

All employees

Pitfalls

Make sure you ask for proof of completion of the course before you reimburse, or a passing grade if an exam exists. We always want to see our employees finishing what they start before we cover new education adventures.

Employee response

We’ve had employees take $10 Excel courses and $500 coding courses. We’ve also had some of our employees without college degrees begin to pursue those. We love seeing them grow when they’re given access to something they wouldn’t have otherwise.

Anything else to watch out for

Federally, the maximum amount you can pay toward education for your employees before it’s taxed is $5,250. Make sure you’re within the law, and tax it correctly; talk to an attorney.

401k

Overview

A 401k is a simple retirement plan. Most employees will likely partake in a 401k, unless they are foreign and face unusual tax implications.

Amount we put toward benefit & Why

We match 100% of the the first 3% of an employee’s salary that they put into their 401k, and 50% of the next 2% of their salary. So if an employee puts 5% of their salary into a 401k, we match 4% of their salary.

Benefit to employees / company

Employees are able to build up their retirement plan pre-tax (using a traditional 401k) or post-tax (if you choose to offer a Roth 401k option), while also getting a match for a percentage of their salary.

Who it affects

Potentially all employees.

Pitfalls

Companies can run into a lot of issues with non-discrimination testing, so we’d highly recommend implementing a Safe Harbor match, which removes the need to worry about non-discrimination testing. Talk to an attorney.

Employee response

Our employees were ecstatic when we added the 401k. 

Coming soon:

529 College Savings Plan

Once we have more employees with children, we’ll be offering college savings plans. Gusto now provides this with Gradvisor. It can allow employees to save for college tuition, or to save for education for family members pre-tax; it can also be used to save for certain K-12 programs and expenses as well.

Life Insurance

It’ll be awhile before we are able to add life insurance. For a business under 50 employees, most life insurance policies we looked at were cost-prohibitive or didn’t cover enough. Our employees are hoping for life insurance policies that cover a multiple of their salary, rather than a fixed amount.

More fun items to check out

There are always more fun items employees could check out to use on the weekends. When we’re around 50 employees, we’d love to get SF Zoo passes and Monterey Aquarium passes. A lot of family-friendly organizations allow businesses that donate to receive bulk tickets / transferable tickets as thanks. This allows us to work toward our community value while still providing thanks to our team members. 

As with anything HR related, there can be issues. Be quick to respond to concerns, and always keep an open-door policy. Employees may come up with something brilliant for your team you just haven’t thought of yet.


Ainsley Braun

Ainsley Braun is the co-founder and CEO of Tinfoil Security. She's consistently looking for interesting, innovative ways to improve the way security is currently implemented. She spends a lot of her time thinking about the usability and pain points of security, and loves talking with Tinfoil's users. She also loves rowing, flying kites, and paragliding.


Server-side GraphQL Querying with Elixir Absinthe

GraphQL is a few years old, and its promises are well known and pretty compelling. Get only the data your front end needs to display, introspection and type constraints, relate all your data in a graph of relationships, etc.! All great things, but if you’re like us and you start to retrofit a GraphQL API onto a REST-based site, you start to notice a divide.

We decided to build GraphQL into our API scanner. Since we’ve built it using Phoenix in Elixir, Absinthe was our go-to choice for a GraphQL query engine. Where before we had a set of contexts and related queries to provide information for our views, now we also had our GraphQL schema defining relationships and queries for fetching particular sets out of the database. It’s not a huge increase in maintenance and overhead, but it does mean duplicating authorization checks and a few other concerns, like remembering to preload for particular edge cases. It would be nice if we could use our GraphQL interface on the server side, particularly if you want to, say, pre-render a single-page app… and it turns out with Absinthe, you can!

Let’s take, for example, a simple social media site. On the site, there are users and posts, where users can become friends and posts can be liked. In order to populate the initial view of this site, we would need to get the current user, preload their friends, preload the first N posts between their posts and their friends’ posts, and the likes on those posts. We'd also need to have a GraphQL query for that same information when the state changes for the current user (for instance when they scroll to the bottom of the page). This is a good amount of duplicate querying, but with Absinthe you can add the @graphql annotation before a method in your controller to query the same information that your front end would pull. The results of the query becomes the parameters map given to your controller. For instance:


Relatively compact, fairly convenient, and by nesting everything under the current user, we should be able to ensure they only access things they are allowed to see. However, it looks like we’re grabbing just about every field available on our (admittedly quite simple) GraphQL schema. Also this query will return a bare map, rather than the structs defined in our application (which could be useful to have elsewhere in the app). Absinthe comes to the rescue for both of these issues by providing a shortcut in the @graphql annotation. Given a query where a field is requested but none of its subfields are specified, it will grab all the fields and, in the case of a field backed by an Ecto schema, will use that struct instead of a bare map. From there, you can use @put inside that object to grab the associations you want to load. This leaves us with this fairly succinct query for our controller’s index action:


And there we go! Now this hypothetical app need only worry about one path for providing data to users, and can concentrate on authorization along the GraphQL path. As long as our graph is complete, we don’t need to worry about making new specific queries for our controllers. Happy coding!


Alex Bullen

Alex is Tinfoil Security's Top-Shelf Programmer (and fetcher of things from high shelves). A former psychology wonk and recent App Academy grad, Alex endeavors to treat every challenge as an opportunity to improve his code-fu. When not busily building blocks of precisely put code, you can find him reading fantasy novels or practicing kung fu.

Tags: graphql


What The Hack 2018?

As the current year comes to an end, many of us take this time to look back and reflect on how we can be a better version of ourselves for the upcoming new year. Let’s reflect on the data breaches that occurred in 2018, to encourage the companies we trust with our data to try and do better in 2019.  

The past year brought us an unusual number of high profile breaches, with alarming amounts of data being exposed. Here are our 12 Hacks of Christmas:

1) The largest, in terms of records breached, was Aadhaar. For those of you who may not have heard of Aadhaar before, it’s the Unique Identification Authority of India (UIDAI). The UIDAI is mandated to assign a 12-digit unique identification (UID) number (termed "Aadhaar") to all the residents of India. According to a report by the Tribune News Services, there was a software patch that could be bought for as little as 500 Rupees and reportedly allowed unauthorized persons to generate Aadhaar numbers. An additional payment of 300 Rupees got you access to software through which anyone could print an ID card for any Aadhaar number. The data breach is believed to have compromised the personal information of nearly all 1.1 billion citizens registered in India.

2) More recently, there was a data breach of the Starwood guest reservation database, newly owned by Marriott International. This breach exposed the personal information of up to 500 million people. Hackers were able to access guests’ names, addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, Starwood loyalty program account information, and reservation information. In some cases, they were also able to steal payment card numbers and expiration dates. According to Marriott, the payment card numbers were encrypted, but they are not sure yet if the hackers were also able to access the information needed to decrypt them. 

3) Exactis is a marketing and data aggregation firm based in Florida that left a database containing two terabytes of information exposed on a publicly accessible server, including the personal details of hundreds of millions of Americans and businesses. This led to an estimated 340 million records being breached. The data exposed included email addresses, physical addresses, phone numbers, and highly sensitive details such as the names and genders of consumers’ children.

4) MyFitnessPal, now owned by Under Armour, was compromised, leading to 150 million records being exposed. The data exposed included customers' usernames, email addresses, and hashed passwords. Some welcome news was that their users’ payment information was not compromised, as Under Armour stores that database separately. 

5) MyHeritage, an online genealogy platform, left 92 million of their users' emails exposed after a security researcher informed the company’s CISO of a file found on an external server. According to MyHeritage, they store family tree and DNA data on servers separate from those that store email addresses and they use third-party service providers to process payments, so other than email addresses, the rest of their customers’ data was not exposed. 

6) The main hack most of us heard about was the whole Facebook / Cambridge Analytica exposé. Upwards of 87 million records were breached. Later, Inti De Ceukelaire (a security researcher) revealed another app, Nametests.com, had publicly exposed information of more than 120 million Facebook users as well.

7) One of the latest breaches happened to Informed Delivery, a service created by the US Postal Service (USPS), which allows customers to view their mail before it arrives at their home mailboxes. In addition to emailing the images,  the USPS offers an API to allow users to connect their mail to specialized services like CRMs. However, it was discovered that the service accepted wildcards for many searches, allowing any user to see other users on the site. According to reports, hackers who accessed the data got to see where important documents and checks were being mailed, so they could go and steal them once they were delivered. The USPS has advised people sign up for the Informed Delivery service with your own email address before someone else signs up as you. Estimates say that 60 million records were exposed.

8) Panera Bread exposed 37 million of its customers’ records in early April. What was more concerning was that in August 2017, security researcher Dylan Houlihan attempted to disclose the vulnerability to Panera Bread, letting them know they had a weakness that resulted in Panerabread.com leaking customers’ records in plaintext. That data could then be scraped and indexed using automated tools. Houlihan claims that his disclosure was dismissed for almost eight months, until Houlian reached out to Brian Krebs (an investigative information security journalist) who reported the story. This finally forced Panera Bread to deal with the issue by taking their website temporarily offline so they could fix the vulnerability. 

9) Ticketfly was asked to cough up a ransom for a vulnerability that was discovered by a hacker. When the company refused, the hacker vandalized, took down, and disrupted their site for a week. The hacker was also able to replace Ticketfly’s homepage and make off with 27 million records of customer and employee data, including names, physical addresses, email addresses, and phone numbers. 

10) The Sacramento Bee newspaper was attacked by an anonymous hacker early in the year. The hacker gained access to 19.5 million records, after seizing two of their databases, and trying to get the paper to pay a ransom for their release. One of the databases contained data from California voter registration provided by California’s Secretary of State, and the other database stored the Sacramento Bee’s subscriber contact information. Sacramento Bee refused to pay the ransom and deleted the databases to prevent additional attacks. However, the attack still left 53,000 of their subscribers’ information and 19.4 million California voters’ data vulnerable.

11) It’s suspected that the fitness app, PumpUp, exposed 6 million of its users’ records after a backend server was found to be exposed to the Internet with no password to protect it. This vulnerability leaked sensitive customer data, such as user-entered health information, photos, and private messages sent between users. The exposed data also contained Facebook access tokens and, in some cases, unencrypted credit card data including card numbers, expiration dates and CVV numbers. ZDNet reported the story and reached out to PumpUp, after security researcher Oliver Hough discovered the vulnerability and reached out to ZDNet to disclosed the issue. PumpUp did not respond to ZDNet, but they did end up securing the server. It’s unclear for exactly how long the server had been sitting exposed.

12) Saks Fifth Avenue and Lord & Taylor became the source of 5 million credit and debit card records which were for sale on the JokerStash hacking syndicate. The discovery was made by security firm Gemini Advisory. After the discovery was disclosed, both Saks Fifth Avenue and Lord & Taylor took immediate steps to fix the issue. A class action lawsuit was filed against them by the customers whose data had been exposed and put up for sale. 

Hacking Image

In most of these situations, it was a journalist, outside researcher or a white hat hacker that found and disclosed the vulnerabilities. Often, it was too late to be dealt with. One of our Tinfoil Engineers wrote about this issue with disclosing vulnerabilities in a previous blog post. We still believe there are more good folks out there than bad folks, so we look forward to bringing joy and hope to the world of cybersecurity in 2019 and beyond!


Neda Blocho

With a background in running the world's top accelerator program out of Stanford University and a tour as a seed stage investor in Silicon Valley, Neda has seen first hand the great need for solving issues around cyber security! Neda makes sure the world knows how much better and safer their DevOps lives can be by partnering with Tinfoil.


Decking the Halls for Holiday Traditions

It’s that time of year when we’re thankful, our bellies are full of turkey, and we’re turning on heaters and bundling up in sweaters. The holidays are always a great time of year at Tinfoil. We’re typically working hard on fun wrap-up projects before the holiday exodus, and are most collaborative during this time. Tinfoil is a small team, and often our collaboration makes us much more like a family than most companies. Just like all families, we like to make time to celebrate the holidays with one another.

Tree Scene

This week, we’re decking the halls with cheer. Each year, Tinfoil puts up a traditional non-denominational holiday tree, adorned nicely with hand-cut snowflakes, twinkly lights, and a hodgepodge of ornaments from different team members and different religions. Slowly it gets filled with surprise Secret Santa gifts, surprise founder-to-employee gifts, and surprise employee-to-employee gifts. Our tree is one of my favorite aspects of Tinfoil. We buy it just for a few weeks, and donate it immediately after our gift exchange to a family who can’t afford one themselves. We’ve given it to a retired firefighter with pensions too small for Bay Area rents, a family whose father was recently laid off, and a nice retired couple living frugally. Each person is so very different, and each one walked away in love with their tree.

Our Secret Santa is a simple event. Each team member automatically draws a name (thanks to drawnames.com) and anonymously picks out a gift with a price limit. We’ve had silly gifts, loving gifts, and gifts that seemed just right. Sometimes we even get visits from past employees. We have a small party to guess who Santa’d us and cider is enjoyed by many.

My cofounder and I like to make sure the tree is filled right up. We add some small additional gifts, ranging from joke gifts, to food, to fun toys for the entire team. One year each person got an animal onesie, and a different year they each got surprisingly good waterproof speakers. There are usually 2-3 gifts for each employee, making unwrapping a fun holiday evening.

Tinfoil’s traditions are similar to many startups. We keep it simple, try to incorporate as much diversity as possible, and try to end the year celebrating our successes together. I’ve heard so many wonderful ideas for holiday celebrations from other startups. What are yours?


Ainsley Braun

Ainsley Braun is the co-founder and CEO of Tinfoil Security. She's consistently looking for interesting, innovative ways to improve the way security is currently implemented. She spends a lot of her time thinking about the usability and pain points of security, and loves talking with Tinfoil's users. She also loves rowing, flying kites, and paragliding.


Should I include CSRF protection on a login form?

Since I found Angel’s “Plain English” series of blog posts so helpful when I was first learning about different kinds of vulnerabilities on the web, I wanted to continue that series. I hope to expand into some of the nuances of more commonly known vulnerabilities, and touch on some of the less well known ones. Let’s get started with one special case that I often find questions about: CSRF on a login form.

To start, if you’re not familiar with the Cross Site Request Forgery (CSRF) attack, you should definitely give Angel’s blog post from a few years ago a read. In the typical way of thinking about a CSRF, an attacker is able to submit a form on behalf of a victim with data the attacker controls. In the classic example, you can imagine an online service that allows users to transfer money between each other, perhaps by first adding their credit card. In the absence of any protective measures against CSRF, the attacker can trick their victim into clicking a link that submits a form on their account, and transfers money into the attacker’s account.  However, what if our humble service is aware of this risk, and includes some form of CSRF protection on all of their authenticated forms? Our attacker will have to get a bit more clever, and though the aforementioned example might often be the most dangerous case, it is not necessarily the only one.

Strictly speaking, a CSRF attack is one where an attacker is able to submit any request on behalf of the victim. So, the attacker begins looking for other ways to trick our poor victim, and finds that the login form is totally unprotected. Hatching a devious plan, our attacker crafts an attack that would submit the login form in the victim’s own browser, thus logging them into the attacker’s account. So our victim -- now perhaps only slightly confused as to why their credit card info is missing -- adds all of their personal information necessary to send money to their friend, and logs out, thinking nothing more of it. Now our attacker, having full control over their own account, logs back in to find that they have everything they need to siphon funds from our poor victim.

As you may have noticed, the impact of an exploit like this varies from site to site, depending a lot on how likely or possible it is for a victim to leave behind personal information. It also relies on tricking the users into completing at least one extra step, instead of just clicking a dubious link. However, the world of security frequently involves accounting for even very unlikely cases, because an attacker will often have hundreds or sometimes thousands of opportunities, and doesn’t need to succeed every time. It’s also worth mentioning that even seemingly harmless vulnerabilities can be leveraged to enable more potent attacks. You might already be able to imagine how one could use an attack like this to direct a user to a page with an injected XSS, but perhaps I’ll save that concept for a later blog post.

For these reasons, I like to err on the side of caution, and avoid giving an attacker the opportunity to exercise any functionality on another user’s behalf. For more information on how we suggest you implement your CSRF protection, you can refer to the article linked above.

I hope you found this short post helpful in understanding some of the nuance of one of the most threatening types of vulnerabilities on the web. I’m one of the support engineers here at Tinfoil Security, so if you have any thoughts, feel free to email me at dallas@tinfoilsecurity.com. I’d love to hear your feedback!


Dallas Weber

Dallas’ detail orientated nature makes him very passionate about helping customers get the most out of their product experience by solving any of their challenges. Outside of cybersecurity, he has a particular curiosity for how movies and video games are designed. Dallas studied Applied Mathematics at Robert Morris University.

Tags: csrf plain english