Here’s the Netflix account compromise Bugcrowd doesn’t want you to know about
Weakness allows attackers to steal browser cookies used to authenticate Netflix users. …
reader comments
46 with 36 posters participating, including story author
A Netflix security weakness that allows unauthorized access to user accounts over local networks is out of the scope of the company’s bug bounty program, the researcher who reported the threat said. Despite dismissing the report, the Bugcrowd vulnerability reporting service is trying to prevent public disclosure of the weakness.
The researcher’s proof-of-concept exploit uses a classic man-in-the-middle attack to steal a Netflix session cookie. These browser cookies are the equivalent of a wristband that music venues use so paying customers aren’t charged an entrance fee a second time. Possession of a valid session cookie is all that’s required to access a target’s Netflix account.
Still unencrypted after all these years
Varun Kakumani, the security researcher who discovered the weakness and privately reported it through Bugcrowd, said the attack is possible because of two things: (1) the continued use of clear-text HTTP connections rather than encrypted HTTPS connections by some Netflix subdomains and (2) the failure of Netflix to equip the session cookie with a secure flag, which prevents transmission over unencrypted connections.
The omissions are surprising to find in a major Web service in 2020. In the years following the 2013 revelations of indiscriminate spying by the National Security Agency, these services almost universally adopted the use of HTTPS across all subdomains. The protocol provides end-to-end encryption between websites and end users. Netflix didn’t respond to a message seeking comment for this post. Without an explanation from the company, it’s not clear if the use of plaintext
Continue reading – Article source