Ankit Kashyap

Backend

Behavioral

Cloud

DDIA

Design Patterns

Design and UX

DotNet

Frontend

Fun Topics

Low level design

Product

Story

System Design

Netflix 2006 CSRF Issue

Netflix 2006 CSRF Vulnerability

In 2006, Netflix was found to be vulnerable to a Cross-Site Request Forgery (CSRF) attack, allowing attackers to manipulate user accounts without their consent. The issue was publicly disclosed by security researcher Jasper Greve.

What Was the Vulnerability?

  • Netflix’s web application did not use CSRF tokens to verify user actions.
  • An attacker could craft a malicious request to perform actions on behalf of a logged-in user.
  • If a user visited a malicious webpage, the attack could modify their Netflix account settings (e.g., change queue preferences, add/remove movies).

How Did the Attack Work?

  1. User Logs into Netflix

    • A user logs into Netflix, and their session cookie is stored in the browser.

  2. User Visits a Malicious Website

    • The attacker tricks the user into visiting a webpage with a hidden CSRF attack payload (e.g., an <img> or <iframe> tag).

  3. Malicious Request is Sent to Netflix

    • The website silently sends an unauthorized request to Netflix using the victim’s active session.
    • Example of a hidden attack: 
      <img src="https://www.netflix.com/Queue?add_movie=12345" />
    • This would automatically add a movie to the victim’s queue without their knowledge.

  4. Netflix Accepts the Request

    • Since Netflix did not verify requests with CSRF tokens, it processed the request as if the user had performed the action.
    • The victim’s account was modified without their consent.

Why Was Netflix Vulnerable?

  1. Lack of CSRF Tokens

    • Netflix did not require a CSRF token in requests, allowing attackers to submit forged requests.

  2. Session Cookies Were Automatically Sent

    • Since Netflix used cookies for authentication, browsers automatically sent them in cross-site requests.
    • No SameSite restrictions were in place to block CSRF attacks.

  3. GET Requests Modified State

    • Actions like adding movies were performed using GET requests, which should only be used for reading data, not modifying it.

Impact of the Vulnerability

  • Attackers could manipulate users’ movie queues.
  • If combined with XSS, attackers could have gained full control over accounts.
  • Netflix had to quickly patch the issue to prevent large-scale abuse.

How Netflix Fixed It

Implemented CSRF Tokens:

  • All state-changing requests now require a unique CSRF token to verify authenticity.

Switched to POST for Modifications:

  • Actions like adding movies now require POST requests instead of GET.

SameSite Cookie Enforcement:

  • Netflix improved session security by implementing SameSite=Lax cookies to block cross-site requests.

Security Best Practices:

  • Netflix now follows OWASP security guidelines, including input validation and session security improvements.

Lessons from the Netflix CSRF Issue

🔹 Always use CSRF tokens in forms and API requests.
🔹 Restrict session cookies using SameSite=Lax or Strict.
🔹 Never allow GET requests to modify user data—use POST or PUT instead.
🔹 Regularly test for CSRF vulnerabilities in web applications.

The Netflix 2006 CSRF issue was an early wake-up call that even large platforms need strong CSRF protections to prevent unauthorized actions. 🚀