SPEAK NO EVIL –
Weakness allows attackers to steal browser cookies used to authenticate Netflix users.
In a statement, Bugcrowd officials wrote:
However, due to the nature of security vulnerabilities and potential risks of uncoordinated disclosure, several customers follow the policy that Anything reported to the platform needs to be approved by the customer before it can be shared publicly. This allows customers to address the vulnerability before it is disclosed. It is entirely possible that any report can reach this state, so long as the researcher and the organization coordinate their activities. In the event that a researcher posts information about a vulnerability without receiving consent from the organization that has not allowed disclosure, we work with the researcher to remove this information from public forums to protect the researcher and customer.
We facilitate this through our platform and program managers. The express goal in reporting a vulnerability is for it to get remediated, and to make the world a little more secure.
Disclosure is not barred in perpetuity. We strongly advocate for disclosure as much as possible — it’s good for the community, and after being fixed, it shows the security-forwardness of the organization remediating the issue. However, it’s important that the disclosure comes only after a discussion between the researcher and customer’s program owners so that both parties reach a mutually agreeable disclosure timeline, etc. In most cases, where there’s a discussion, an agreeable outcome is usually arrived at, and all parties come away with a win (the organization knows about and fixes the finding; the researcher gets paid, and is able to disclose on a timeline after the issue is fixed; and consumers aren’t placed at unnecessary risk due to unauthorized disclosures). Our platform with CrowdStream capabilities and program teams enable this interaction.
As explained earlier, the cookie theft requires the attacker and target to connect to the same Wi-Fi access point or other local network. The unauthorized access also requires that the target be logged in to his or her Netflix account. The attacker uses a technique called ARP poisoning to intercept the traffic between the target and Netflix and then pass it along to the other party. The attacker then waits for the target to make an HTTP connection to any domain. Once the unencrypted connection is established, the attacker injects HTML into the connection to create a second connection request to one of the Netflix HTTP subdomains, such as oca-api.netflix.com.
The connection to the HTTP subdomain makes NetflixId — the name of the unprotected session cookie — free for the taking. If targets don’t access an HTTP connection on their own (something that’s critical common since HTTPS is almost ubiquitous these days) an attacker can trick targets into clicking on any HTTP link. Once in possession of the cookie, the attacker then uses a browser console to paste the cookie on an open Netflix page. With that, the attacker accesses the target’s account.
A transcript of Kakumani’s communications with Bugcrowd shows a worker for the vulnerability reporting service saying that possession of the NetflixID cookie was not enough to gain unauthorized access to an account. Instead, the worker said, “This attack would require a man-in-the-middle position and does not compromise the SecureNetflix cookie, which is used to authenticate a user to www.netflix.com. The SecureNetflix cookie has the Secure flag set and won’t be sent over an unencrypted channel. The NetflixId cookie does not have the Secure flag set but requires the SecureNetflix cookie to authenticate a user. “
Kakumani told me the worker’s statement is wrong, and his proof-of-concept videos, which at Bugcrowd’s insistence are no longer public, seem to prove this. The videos show the attacker using only the NetflixId cookie to gain access to an account.
In any event, attackers who gain unauthorized access can’t take over the account, since changing passwords or associated email addresses require knowledge of the current password. Attackers, however, can still watch videos and view a target’s watch history, phone number and other personal data. Attackers can also change plans to ultra high definition, which costs more than high definition. The unauthorized access is possible even when the target logs out of the account or makes a password change on the same device that received the intercepted session cookie, Kakumani said.
Exploit is not for everyone
Given the requirements that the attacker must be on the same local network as the target and must either trick the target to click on an HTTP link or wait for the target to access one on his or her own, there’s little likelihood that this weakness will be widely exploited. Still, the vulnerability provides an opportunity for targeted attacks in a scenario that occurs regularly. It’s surprising that Netflix, a company with a reasonably good security track record, would dismiss Kakumani’s report.
The incident also underscores the role bug-bounty programs play in squashing vulnerability disclosure. No doubt, privacy makes sense when companies are in the process of fixing a vulnerability. The secrecy prevents other hackers from maliciously exploiting the weaknesses before the fix is in place.
But once a weakness is fixed — or in the event a company opts not to fix it — users deserve to have full details of the bug, including how attacks work. Bugcrowd policies barring the free flow of this information serve the interests of Netflix but are less helpful to the public at large.
GIPHY App Key not set. Please check settings