Article 517CK Here's the Netflix Account Compromise Bugcrowd Doesn't Want You to Know About [Updated]

Here's the Netflix Account Compromise Bugcrowd Doesn't Want You to Know About [Updated]

by
Fnord666
from SoylentNews on (#517CK)

upstart writes in with an IRC submission for SoyCow9451:

Here's the Netflix account compromise Bugcrowd doesn't want you to know about [Updated]:

Updated 3/23/2020: A Netflix spokeswoman said that the dismissal of this bug report on the grounds it was out-of-scope was a mistake on the part of the company. The company has since confirmed the validity of the report and began rolling out a fix on Friday. The spokeswoman said that the researcher will receive a bounty, although she didn't say how much it will be. What follows is the original Ars report:

A Netflix security weakness that allows unauthorized access to user accounts over local networks is out of the scope of the company's bug bounty program, the researcher who reported the threat said. Despite dismissing the report, the Bugcrowd vulnerability reporting service is trying to prevent public disclosure of the weakness.

The researcher's proof-of-concept exploit uses a classic man-in-the-middle attack to steal a Netflix session cookie. These browser cookies are the equivalent of a wristband that music venues use so paying customers aren't charged an entrance fee a second time. Possession of a valid session cookie is all that's required to access a target's Netflix account.

Varun Kakumani, the security researcher who discovered the weakness and privately reported it through Bugcrowd, said the attack is possible because of two things: (1) the continued use of clear-text HTTP connections rather than encrypted HTTPS connections by some Netflix subdomains and (2) the failure of Netflix to equip the session cookie with a secure flag, which prevents transmission over unencrypted connections.

The omissions are surprising to find in a major Web service in 2020. In the years following the 2013 revelations of indiscriminate spying by the National Security Agency, these services almost universally adopted the use of HTTPS across all subdomains. The protocol provides end-to-end encryption between websites and end users. Netflix didn't respond to a message seeking comment for this post. Without an explanation from the company, it's not clear if the use of plaintext connections is an oversight or done purposely to provide various capabilities.

"Essentially you can hack any Netflix account [of] whoever is on the same Wi-Fi network," Kakumani told me. "Old-school MITM attack."

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments