Netflix flattens bug that allowed account p0wnage via voicemail Netflix has reworked its password reset function after an Austrian security researcher demonstrated how an attacker could spoof it to take over a victim's account. Fortunately, the bug wasn't universal: it depended on the customer's mobile carrier being one that hasn't properly protected users' voicemail accounts from …
@ as2003 "Seems to me carriers not adequately protecting users' voicemail is the bigger problem here."
I guess these carriers, many of which have some kind of operations in the UK, have learned nothing from the various tabloid newspaper phone voicemail hacking that went on over here.
That's an interesting and very simple exploit, easily achieved.
As said above Netflix has assumed the security of the medium over which this authentication happens, but they have no control over it, so the assumption is flawed.
I guess the fallout from an exploit like this is limited to a) someone using your netflix account to watch stuff and b) the legitimate owner being locked out until they reset the account themselves.
However, I wonder what other companies and systems use the same auto phone call method for verification? I reckon there could be a lot more systems need looking at in light of this.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
