back to article Netflix flattens bug that allowed account p0wnage via voicemail

Netflix has reworked its password reset function after an Austrian security researcher demonstrated how an attacker could spoof it to take over a victim's account. Fortunately, the bug wasn't universal: it depended on the customer's mobile carrier being one that hasn't properly protected users' voicemail accounts from …

  1. as2003

    Voicefail

    Seems to me carriers not adequately protecting users' voicemail is the bigger problem here.

    1. The Travelling Dangleberries

      Re: Voicefail

      Well yes, and no. The developers of the Netflix password reset function made an basic mistake. Their system was open to abuse as it assumed a default level of security somewhere else - a "somewhere else" over which they have absolutely no control over.

    2. paulf

      Re: Voicefail

      @ as2003 "Seems to me carriers not adequately protecting users' voicemail is the bigger problem here."

      I guess these carriers, many of which have some kind of operations in the UK, have learned nothing from the various tabloid newspaper phone voicemail hacking that went on over here.

  2. Simon Harris Silver badge

    "Netflix must have been hacked"

    That's what I tell my other half when she looks at the viewing history and complains about the amount of crap I watch!

  3. Tatsky

    Interesting

    That's an interesting and very simple exploit, easily achieved.

    As said above Netflix has assumed the security of the medium over which this authentication happens, but they have no control over it, so the assumption is flawed.

    I guess the fallout from an exploit like this is limited to a) someone using your netflix account to watch stuff and b) the legitimate owner being locked out until they reset the account themselves.

    However, I wonder what other companies and systems use the same auto phone call method for verification? I reckon there could be a lot more systems need looking at in light of this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020