Netflix flattens bug that allowed account p0wnage via voicemail

Password-protect your voicemail, if you can

Mambo Unlimited's gold bug. Pic: Steve Caplin

Netflix has reworked its password reset function after an Austrian security researcher demonstrated how an attacker could spoof it to take over a victim's account.

Fortunately, the bug wasn't universal: it depended on the customer's mobile carrier being one that hasn't properly protected users' voicemail accounts from unauthorised access.

In the scenario described here, a chap named “Slashcrypto” notes that in his home country, T-Mobile is one such carrier and a default voicemail configuration would leave someone open to attack.

The other prerequisite is that the attacker can spoof the number a call is apparently coming from – but that's no great challenge, since common VoIP systems like Asterisk let an admin set any “from” number they like.

Given that, the post says it's possible to take over a target's Netflix account using a pretty simple attack flow:

  • Start at the Netflix “password reset” screen (with the victim's account ID), and enter their phone number for an automated callback;
  • Place a call to the victim, so the auto-call redirects to voicemail;
  • Spoof the victim's caller ID to get voice mailbox access, and play the security code.

Netflix's mitigation was pretty simple: the user has to press a key to continue. That way, the autocall can't land in their voicemail.

In putting together his demo, Slashcrypto notes work by Australian pentester Shubham Shah in 2014. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017