Putting Vulnerabilities in Perspective
"AppSec Notes complains that Netflix has not fixed all of their CSRF vulnerabilities. You can no longer access account information, billing information, change shipping address, or anything of value, but you can still add movies to someone’s queue. This apparently still bothers the author who has a note of annoyance that Netflix hasn’t completely fixed everything yet. I think this loses sight of realistic business goals of security- from an enterprise perspective one addresses security vulnerabilities in order to protect revenue or prevent damage. It is a cost benefit analysis, weighing whether allocating resources to address a particular vulnerability allows the greatest capitalization of those resources. I’d posit that Netflix does not believe preventing CSRF attacks that add movies to the top of a queue to be the most effective use of those development resources. When looking at the impact and likelihood of this sort of CSRF attack the associated risk comes out quite low"
Read more: http://www.analyticalengine.net/archives/102
My post about Netflix was simply meant to provide interesting information. The statement "it was purposefully not done for business reasons", should make it clear that I did indeed consider their business goals. Obviously, there is a reason it hasn't been fixed, but I disagree with your assumption that significant developer resources are needed. The Netflix team already implemented CSRF protection for the other actions, and that same mechanism could be deployed for adding movies.
Posted by: Dave Ferguson | Feb 16, 2009 10:04:00 AM