lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3403d5c50610160635j6707d7dy57a7bd0bc9e8d567@mail.gmail.com>
Date: Mon, 16 Oct 2006 08:35:17 -0500
From: "Dave Ferguson" <gmdavef@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Netflix Cross Site Request Forgery Vulnerability

ANNOUNCEMENT

Netflix Cross Site Request Forgery Vulnerability

Release Date: 10/16/2006

Netflix notified: 9/25/2006

Author: David Ferguson, Security Researcher -- gmdavef [at] gmail com

INTRODUCTION

Recently I found that the Netflix.com site was vulnerable Cross Site
Request Forgery (XSRF), also known as hostile linking.  I notified
Netflix about this problem on 9/25/06 and it appears they are finally
making the necessary corrections.  I want to make the information
public to raise awareness of this type of vulnerability and hopefully
educate others who may not have heard about it before.  An excellent
whitepaper about XSRF by Jesse Burns can be found at
http://www.isecpartners.com/documents/XSRF_Paper.pdf.

BACKGROUND

Netflix is a company that offers a popular online DVD rental service.
Over 5.5 million people are currently Netflix subscribers.  Many users
of the Netflix web site, when logging in, choose the option that says
"Remember me on this computer".  This option causes one or more
cookies to be written to the user's computer.  The cookie is sent
automatically the next time a user visits the Netflix site,
eliminating the need to enter credentials again.

VULNERABILITY OVERVIEW

XSRF is an application-level vulnerability where an attacker takes
advantage of the trust that the web site has in the cookie.  Commands
are issued on the target application unbeknownst to the user.  By
exploiting the XSRF vulnerability, an attacker could have made changes
to a victim's Netflix account simply by having him visit a malicious
web site.  Any Netflix user who had chosen the "remember me" option,
or who happened to be logged in at the time, was subject to this
attack.  The victim would not have seen anything out of the ordinary
that might indicate his Netflix account was affected.

ATTACK SCENARIOS

Netflix has corrected several of the vulnerabilities.  Prior to the
corrections, an attacker could use XSRF to perpetrate a number of
actions on the victim including:

 - adding movies to his rental queue (still possible as of 10/16/06 a.m.)
 - adding a movie to the top of his rental queue (still possible as of
10/16/06 a.m.)
 - changing the name and address on the account
 - enabling/disabling extra movie information
 - changing the email address and password on the account (was limited
exposure only)
 - cancelling the account (Unconfirmed/Conjectured)

Chaos and/or embarrassment could result if an attacker decided to add
random DVD's to the top of each victim's rental queue.  In many cases,
the attacker-chosen DVD's would have shipped out and arrived before
the change was noticed.  It is also possible to add dozens or even
hundreds of DVD's to a victim's rental queue, all without his
knowledge.

One of the most serious exploits was the ability to change the name
and mailing address on the account.  An attacker could have changed
the name and address (or just the address) on a large number of
Netflix accounts.  DVD's would subsequently have been shipped to the
address of his choice and stolen.

Another harmful exploit was the potential ability to change email
address and password on the account.  This particular exposure was
limited in nature because the Netflix site normally requires input of
the current password before changing the email address or password on
the account.  However, there was a certain time period after a user
signed in where the current password was not required.  During this
time period, it was possible for a malicious site to cause the email
address and password on a victim's account to be changed.  The
legitimate user would have been locked out of his account and full
control given to the attacker.

PROTECTING YOURSELF

If you're a Netflix subscriber, there are several ways you can protect
yourself until Netflix fully fixes their site.  These safeguards would
also help protect against XSRF vulnerabilities in other sites.

Option 1 -- Don't use the "remember me" option when signing in.  That
will prevent stored cookies and protect you against XSRF attacks.  You
should also avoid visiting unknown or untrusted sites while signed in
to Netflix.  Finally, make sure to sign out and close all browser
windows when finished using the Netflix site.

Option 2 -- Use one browser (e.g., Firefox) exclusively for Netflix,
and another browser (e.g., Internet Explorer) for all other web sites.

Option 3 (not recommended) -- Use Firefox as your web browser and tell
it not to load images from other sites.  You can do this by putting a
check in the box next to "for the originating web site only" under
Tools--Options--Content.  Please note that this option may not be 100%
effective.

MITIGATING XSRF

Developers can prevent XSRF vulnerabilities from appearing in web
applications in several ways.  The white paper by Jesse Burns
describes several alternatives.  The best technique appears to be
implementing a cryptographic token that must be passed as a parameter
with every request.  The cryptographic token would consist of several
pieces of data including the type of action being performed, the
session ID, and some secret value generated by the application.  The
token could not be reproduced by an attacker and therefore any
requests without a valid token could be rejected by the application.

Another, albeit less reliable, mitigation technique would be to check
the Referer (sic) in the http request header and verify it is from the
expected domain.

It should also be noted that a contributing problem in Netflix case
was that HTML forms could be submitted via the GET method as well the
POST method.  An application that supports GET requests simplifies the
exploit for attackers because they can place form parameters within
the URL itself.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ