Dave Ferguson today released a series of rather nasty CSRF attacks against Netflix. CSRF is nasty. It can do anything any command that you can perform allows you to do but without your knowledge. If you can do something it can do it on your behalf. From a web application security perspective it’s just about the closest thing to completely owning an user account without actually having to penetrate the system or even know the user’s password. Here are some of the examples of vulnerabilities in Netflix:
- add movies to your rental queue
- add a movie to the top of your rental queue
- change the name and address on your account
- change the email address and password on your account (i.e., take over your account)
- cancel your account (Unconfirmed/Conjectured)
Pretty scary! Even if you couldn’t change the password by changing the email address you can use the forgot password function on most applications to forgo knowing the actual password. Who cares what the password is anyway (unless you are doing password research). Most of the time the attacker just wants access to the account in question.
David used a quote I’ve heard Jeremiah say a number of times, “CSRF is a sleeping giant.” I guess my comment to that statement is that it feels like the giant is coming out of hibernation as more dynamic applications are built and more malicious people understand the value of attacking online accounts. It’s already happening, even if only in the very smallest quantities. Time to start building secure applications so we can put the giant back to bed. More on this in the future…