Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday March 25 2020, @10:37AM   Printer-friendly
from the another-day-another-hack dept.

Here's the Netflix account compromise Bugcrowd doesn't want you to know about [Updated]:

Updated 3/23/2020: A Netflix spokeswoman said that the dismissal of this bug report on the grounds it was out-of-scope was a mistake on the part of the company. The company has since confirmed the validity of the report and began rolling out a fix on Friday. The spokeswoman said that the researcher will receive a bounty, although she didn't say how much it will be. What follows is the original Ars report:

A Netflix security weakness that allows unauthorized access to user accounts over local networks is out of the scope of the company's bug bounty program, the researcher who reported the threat said. Despite dismissing the report, the Bugcrowd vulnerability reporting service is trying to prevent public disclosure of the weakness.

The researcher's proof-of-concept exploit uses a classic man-in-the-middle attack to steal a Netflix session cookie. These browser cookies are the equivalent of a wristband that music venues use so paying customers aren't charged an entrance fee a second time. Possession of a valid session cookie is all that's required to access a target's Netflix account.

Varun Kakumani, the security researcher who discovered the weakness and privately reported it through Bugcrowd, said the attack is possible because of two things: (1) the continued use of clear-text HTTP connections rather than encrypted HTTPS connections by some Netflix subdomains and (2) the failure of Netflix to equip the session cookie with a secure flag, which prevents transmission over unencrypted connections.

The omissions are surprising to find in a major Web service in 2020. In the years following the 2013 revelations of indiscriminate spying by the National Security Agency, these services almost universally adopted the use of HTTPS across all subdomains. The protocol provides end-to-end encryption between websites and end users. Netflix didn't respond to a message seeking comment for this post. Without an explanation from the company, it's not clear if the use of plaintext connections is an oversight or done purposely to provide various capabilities.

"Essentially you can hack any Netflix account [of] whoever is on the same Wi-Fi network," Kakumani told me. "Old-school MITM attack."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by shipofgold on Wednesday March 25 2020, @05:02PM

    by shipofgold (4696) on Wednesday March 25 2020, @05:02PM (#975537)

    You don't need (1) if you're able to do a MITM attack.

    Not sure how you do a MITM attack if all connections are HTTPS and you don't have the server certificate.

    I don't know enough about the issue to determine if a passive eavesdropping attack is sufficient, but it may be.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2