Netflix fixes Web 2.0 bugs

Site weakness could have let outsiders change a user's address and potentially hijack their account.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
Netflix has fixed weaknesses in its Web site that could have let outsiders change a user's address, add movies to their rental queue, and potentially hijack their account.

The problems were repaired before they became publicly known, Steve Swasey, a Netflix spokesman, said on Monday. "It is an extremely remote possibility that it would have affected any of Netflix's 5.2 million members," he said.

Design flaws in the Netflix Web site were the cause of the relatively new type of weakness in Web applications, known as hostile linking or Cross Site Request Forgery, said Dave Ferguson, the security researcher who discovered the issues and reported them to Netflix. Ferguson publicly disclosed the flaw on Monday on a popular security mailing list. This type of flaw probably exists in many other complicated Web sites, he said. Ferguson publicly disclosed the flaw on Monday on a popular security mailing list.

"This type of attack is only suitable for a certain type of Web site. It just happens to be that Netflix is the perfect example," he said. "One key thing is when the majority of users keep themselves logged in. I don't do this for many sites, but Netflix is one of them."

An attacker could have taken advantage of the weaknesses by crafting a Web site that includes some simple HTML code, Ferguson said. A Netflix user would have to be tricked into visiting the nefarious Web site for the attack to succeed, he said.

Only those Netflix customers who use the "remember me" option on the DVD rental site would be affected. The popular feature automatically logs users in on their next visit. It sets up a type of trust between the user's PC and the Netflix Web site that could be exploited by third-party sites, Ferguson said.

While boosting rentals of the "SpongeBob SquarePants" movie by adding the title to Netflix subscribers' queues is quite innocent, changing the shipping address could be serious. "When you talk about changing the shipping address on the account, you talk about somebody being able to steal DVDs," Ferguson said.

Also, in some cases it would be possible to take over a user's account by changing their login credentials, Ferguson said. This would be possible only if the intended victim were tricked into clicking on the malicious link or visit the malicious Web site shortly after entering their login information on the Netflix Web site, Ferguson said.

"Netflix is audited all the time for security," Swasey said. "There was some level of exposure, although not serious." At no point was customer data such as credit card numbers at risk, he stressed.

Cross Site Request Forgery, or XSRF, is seen as one of the security problems that affect feature-rich Web sites. These "Web 2.0" sites often offer an experience more like using a desktop application than like using the Web. Experts have also pointed to other security woes such as cross site scripting bugs and JavaScript related vulnerabilities.

"As the Internet matures, companies such as Netflix have created a whole new way of doing commerce," Swasey said. "With that comes a lot of new exploration, and any type of innovation is up for corrections and adjustments."