Security Strategy, Plan, Budget

Netflix fixes cross-site request forgery hole

Netflix, the subscription-based DVD rental service that revolutionized the way consumers rent movies, has shored up its website against hackers.

Netflix fixed a number of flaws in its website that could allow hackers to change user addresses and hijack accounts through cross-site request forgery (XSRF).

Researcher Dave Ferguson reported the flaws to Netflix weeks before they were publicly disclosed, according to a vulnerability posting on

Steve Swasey, Netflix spokesperson, told today that the flaw was fixed before the public was aware of it.

"Netflix has 5.2 million members, and its 5.2 million members should always feel secure that we protect their private data and we take whatever measures are necessary to do that," he said. "We took whatever measures were necessary here. We always use encryption to protect our customers' credit-card numbers. We take that very seriously."

Swasey added that the possibility of customer information being hacked was remote.

"We found what could potentially be a problem in a random case," he said. "The scope was very limited, but when there was even a remote possibility, we fixed it. No one was affected by this."

For an attack to succeed, a malicious user would have to craft a malicious website that could infect a PC without the user knowing.

XSRF is considered a serious security program for sophisticated websites - often referred to as Web 2.0 sites.

"No. The malicious site does not have to look like Netflix. Someone could have fallen victim by visiting any webpage on any site," Ferguson told today. "The page just had to be designed to exploit it, and the user would not even see that his Netflix account was affected. That is the one reason why it was so dangerous in my opinion."

Click here to email Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.