Netflix- No More Vulnerable to XSRF
Netflix, the service which rents DVD on a subscription basis and leveraged the way customers rent movies, has now set up its website with protection from hackers.
Netflix website had many flaws that could facilitate hackers to modify user addresses, add movies to their rental choices, and hack accounts via 'cross-site request forgery'. 'Cross Site Request Forgery' (XSRF) is considered as one of the security issues having impact on multi-featured websites. Web 2.0 sites, like that of Netflix, were often vulnerable to XSRF fraud. However, Netflix has now fixed all its flaws.
Steve Swasey, spokesperson of Netflix, told SCMagazine.com on October 17, 2006 that the flaw was remedied before the public came to know about it. The design flaws in the Netflix website were the result of a new type of weaknesses in Web operations called 'Cross Site Request Forgery'.
Swasey further assured that Netflix took all the necessary protective measures with the objective to keep its 5.2 million customers' private data secure. Netflix applies encryption method to protect its customers' credit card numbers.
An attacker could easily exploit the weaknesses of the website by crafting one that contains some simple 'hypertext marking language', or HTML code. The attack could succeed by tricking a Netflix user into visiting and following the instructions in the spoof site.
For a successful attack, a malicious user would have to designa corrupt website, which could defile a PC without user's knowledge. The site does not have to resemble Netflix. All it requires is designing the page in a way to exploit the weakness. The result would be that the Netflix user would not even notice his account being hacked.
A posting on insecure.org said that researcher Dave Ferguson reported the flaws to Netflix about a month before their disclosure.
» SPAMfighter News - 23-10-2006