CGI Security via AppSec Notes complains that Netflix has not fixed all of their CSRF vulnerabilities. You can no longer access account information, billing information, change shipping address, or anything of value, but you can still add movies to someone’s queue. This apparently still bothers the author who has a note of annoyance that Netflix hasn’t completely fixed everything yet. I think this loses sight of realistic business goals of security- from an enterprise perspective one addresses security vulnerabilities in order to protect revenue or prevent damage. It is a cost benefit analysis, weighing whether allocating resources to address a particular vulnerability allows the greatest capitalization of those resources.

I’d posit that Netflix does not believe preventing CSRF attacks that add movies to the top of a queue to be the most effective use of those development resources. When looking at the impact and likelihood of this sort of CSRF attack the associated risk comes out quite low:

Impact- no direct loss of capital or resources, some level of brand damage. Some customers may very well be so pissed over getting sent some embarrassing video that they leave completely, which is a drop in revenue, however I would posit that these people are probably the minority. More people are likely to be pissed, complain, and probably get a free month as a token apology (loss of 1/12 of the yearly revenue for those people) but complaining smacks of efforts so I don’t imagine that this number will be horribly large either. Then there is the group that will be pissed and do nothing, no appreciable loss. Next is the group that is confused because they didn’t order that particular embarrassing video, no appreciable loss. Finally there is the outlier group that is hard to predict- the group where a couple gets an embarrassing movie, gets in a fight, and seperates over a movie (I live in a town where two middle aged men shot each other because of an argument over who parked their oversized SUV too close to the other oversized SUV, so I fully imagine there are people who would overreact to a movie). This might be a loss of a subscription, maintain the status quo, or a gain of a subscription because now the newly separated couple both wants a subscription, whereas they accounted for only one before.

There is also brand damage should this get media coverage once it is exploited. That is a hard thing to put dollars on.

Likelihood- For this to be exploited a customer needs to visit another website that actually carries out the CSRF attack. For that to happen the other website would need to choose actively to be malicious to Netflix instead of carrying out CSRF against a website that would allow monetary gain- there is no personal gain in exploiting this, only vandalism (which isn’t quite the correct word, but in the same spirit). The visitor needs to be logged into Netflix, and they need to be people who don’t frequently manage their queues otherwise they would notice the movie prior to it being sent (and may still react badly, but I posit that even fewer people would if they caught the movie before it shipped). Of Netflix’s 10 million subscribers I would assert that the number that would fall victim to this is small enough to be indistinguishable from zero.

Let’s look at the likely attacker- this isn’t organized crime, or any accomplished Blackhat. Those people are after money. This hypothetical attacker is likely a malcontent teenager who thinks it is funny to screw with a Netflix queue. That mostly rules out the attacker owning their own site that gets enough traffic to exploit this from, and also mostly rules out the attacker knowing of XSS or SQLi flaws in websites that do get enough traffic for this to exploit this from. It leaves their dinky website that pretty much only gets visited by their friends on IRC (or whatever script kiddies use these days)- probably some random blog on blogspot or something similar. In other news this will be exploited from a location that will not attract any noticeable number of Netflix subscribers.

So the likelihood is pretty nonexistent, the impact is very low, and thus the risk of losing subscribers because they were exploited is essentially 0. The risk of brand damage from press coverage isn’t much higher- someone in the press needs to find out about this flaw, grok what the heck the flaw really is, actually have a victim so they can tell a story about, and then compete for airtime with Company X is laying of 50,000 employees and congress is too incompetent to fix things. I predict the tampered roadsigns warning about zombies gets more press coverage. Finally the viewers need to care. TJ Max is our security story, biggest public data loss to date (with Heartland possibly taking the crown), and anecdotally the people I know who shop there weren’t even aware of it, and upon me explaining it STILL DIDN’T CARE. Netflix subscribers are a slightly different demographic, but I don’t see people getting really worked up about hearing that maybe they might be sent the wrong movie.

So why should Netflix fix this problem, instead of working on features that may attract more customers? The people who found this flaw care because it is their flaw- it matters because it is theirs. Unfortunately that doesn’t sway companies. For any vulnerability that is found it isn’t enough to point out the vulnerability- a business case also needs to be made for addressing the vulnerability. That is the reality of enterprise security- everything is cost/benefit analysis. If the risk is low, the response will reflect that. I’d love to see all vulnerabilities get addressed as much as the next security professional, but that is idealism rather than realism talking.

~ Joshbw