Paid Advertising
web application security lab

CRSF in Netflix

Dave Ferguson today released a series of rather nasty CSRF attacks against Netflix. CSRF is nasty. It can do anything any command that you can perform allows you to do but without your knowledge. If you can do something it can do it on your behalf. From a web application security perspective it’s just about the closest thing to completely owning an user account without actually having to penetrate the system or even know the user’s password. Here are some of the examples of vulnerabilities in Netflix:

- add movies to your rental queue
- add a movie to the top of your rental queue
- change the name and address on your account
- change the email address and password on your account (i.e., take over your account)
- cancel your account (Unconfirmed/Conjectured)

Pretty scary! Even if you couldn’t change the password by changing the email address you can use the forgot password function on most applications to forgo knowing the actual password. Who cares what the password is anyway (unless you are doing password research). Most of the time the attacker just wants access to the account in question.

David used a quote I’ve heard Jeremiah say a number of times, “CSRF is a sleeping giant.” I guess my comment to that statement is that it feels like the giant is coming out of hibernation as more dynamic applications are built and more malicious people understand the value of attacking online accounts. It’s already happening, even if only in the very smallest quantities. Time to start building secure applications so we can put the giant back to bed. More on this in the future…

5 Responses to “CRSF in Netflix”

  1. rigakk Says:

    I seem to remember you were looking for a way to control http headers when performing CSRF attacks. Well, it looks like this new Flash 9 vuln is precisely what you want:

  2. maluc Says:

    Wow, there’s something sexy about full remote header control .. and something frightening about the Web 2.0’s extreme lust for useability at the expense of security..

    I’m surprised a method this simple hadn’t been discovered before though.

  3. Martin Straka Says:

    to rigakk, maluc:

    This is extension to what was already discovered by Amit Klein:

    in July

  4. RSnake Says:

    Yah, also, I think this is reference to a conversation we were having about changing GET to POST inside of an image tag, which still isn’t possible, unfortunately. You need XSS to be able to do this Flash header spoofing (which was mentioned here some time ago:

    Still cool though!

  5. alam Says:

    please tell me more detail about crsf for hacking