Black Hat : Netflix CSRF Vulnerability

WASHINGTON, DC. You never know what kind of vulnerabilities you’ll see at Black Hat.

I’m sitting in a session now where security researcher Chuck Willis of security research firm Mandiant has just demonstrated a live cross site request forgery attack on popular video site Netflix.

According to Willis the issue was first reported to Netflix 17 months ago. In a nutshell CSRF is an exploitation of the HTTP protocols feature that a web page can include HTML elements that will cause the browser to make a request to any other web site. There are alot of different ways to trigger a CSRF including a simple image file or even just a CSS (cascading style sheet).

In the Netflix live case study, Willis showed how he could add a movie to a user’s queue without a user’s knowledge.

Willis alleged that Netflix used to have even more problems related to CSRF that could have allowed an attacker to change a mailing address for a user. Which means that before Netflix partially fixed their CSRF issue an attacker could have added a movie and then had it sent to them.

As it is an attacker can only add a movie, which Willis admitted isn’t terribly exciting. Though he did say that it could be used as some kind of scam to promote a movie. Where an attacker gets a particular movie added to alot of users lists so that Netflix would have to buy more copies.

Overall Willis alleges that CSRF is a problem that is becoming increasingly prevalent and is also difficult (though not impossible) to detect.