ANNOUNCEMENT Netflix Cross Site Request Forgery Vulnerability Release Date: 10/16/2006 Netflix notified: 9/25/2006 Author: David Ferguson, Security Researcher -- gmdavef [at] gmail com INTRODUCTION Recently I found that the Netflix.com site was vulnerable Cross Site Request Forgery (XSRF), also known as hostile linking. I notified Netflix about this problem on 9/25/06 and it appears they are finally making the necessary corrections. I want to make the information public to raise awareness of this type of vulnerability and hopefully educate others who may not have heard about it before. An excellent whitepaper about XSRF by Jesse Burns can be found at http://www.isecpartners.com/documents/XSRF_Paper.pdf. BACKGROUND Netflix is a company that offers a popular online DVD rental service. Over 5.5 million people are currently Netflix subscribers. Many users of the Netflix web site, when logging in, choose the option that says "Remember me on this computer". This option causes one or more cookies to be written to the user's computer. The cookie is sent automatically the next time a user visits the Netflix site, eliminating the need to enter credentials again. VULNERABILITY OVERVIEW XSRF is an application-level vulnerability where an attacker takes advantage of the trust that the web site has in the cookie. Commands are issued on the target application unbeknownst to the user. By exploiting the XSRF vulnerability, an attacker could have made changes to a victim's Netflix account simply by having him visit a malicious web site. Any Netflix user who had chosen the "remember me" option, or who happened to be logged in at the time, was subject to this attack. The victim would not have seen anything out of the ordinary that might indicate his Netflix account was affected. ATTACK SCENARIOS Netflix has corrected several of the vulnerabilities. Prior to the corrections, an attacker could use XSRF to perpetrate a number of actions on the victim including: - adding movies to his rental queue (still possible as of 10/16/06 a.m.) - adding a movie to the top of his rental queue (still possible as of 10/16/06 a.m.) - changing the name and address on the account - enabling/disabling extra movie information - changing the email address and password on the account (was limited exposure only) - cancelling the account (Unconfirmed/Conjectured) Chaos and/or embarrassment could result if an attacker decided to add random DVD's to the top of each victim's rental queue. In many cases, the attacker-chosen DVD's would have shipped out and arrived before the change was noticed. It is also possible to add dozens or even hundreds of DVD's to a victim's rental queue, all without his knowledge. One of the most serious exploits was the ability to change the name and mailing address on the account. An attacker could have changed the name and address (or just the address) on a large number of Netflix accounts. DVD's would subsequently have been shipped to the address of his choice and stolen. Another harmful exploit was the potential ability to change email address and password on the account. This particular exposure was limited in nature because the Netflix site normally requires input of the current password before changing the email address or password on the account. However, there was a certain time period after a user signed in where the current password was not required. During this time period, it was possible for a malicious site to cause the email address and password on a victim's account to be changed. The legitimate user would have been locked out of his account and full control given to the attacker. PROTECTING YOURSELF If you're a Netflix subscriber, there are several ways you can protect yourself until Netflix fully fixes their site. These safeguards would also help protect against XSRF vulnerabilities in other sites. Option 1 -- Don't use the "remember me" option when signing in. That will prevent stored cookies and protect you against XSRF attacks. You should also avoid visiting unknown or untrusted sites while signed in to Netflix. Finally, make sure to sign out and close all browser windows when finished using the Netflix site. Option 2 -- Use one browser (e.g., Firefox) exclusively for Netflix, and another browser (e.g., Internet Explorer) for all other web sites. Option 3 (not recommended) -- Use Firefox as your web browser and tell it not to load images from other sites. You can do this by putting a check in the box next to "for the originating web site only" under Tools--Options--Content. Please note that this option may not be 100% effective. MITIGATING XSRF Developers can prevent XSRF vulnerabilities from appearing in web applications in several ways. The white paper by Jesse Burns describes several alternatives. The best technique appears to be implementing a cryptographic token that must be passed as a parameter with every request. The cryptographic token would consist of several pieces of data including the type of action being performed, the session ID, and some secret value generated by the application. The token could not be reproduced by an attacker and therefore any requests without a valid token could be rejected by the application. Another, albeit less reliable, mitigation technique would be to check the Referer (sic) in the http request header and verify it is from the expected domain. It should also be noted that a contributing problem in Netflix case was that HTML forms could be submitted via the GET method as well the POST method. An application that supports GET requests simplifies the exploit for attackers because they can place form parameters within the URL itself. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/