Netflix has reworked its password reset function after an Austrian security researcher demonstrated how an attacker could spoof it to take over a victim's account.
Fortunately, the bug wasn't universal: it depended on the customer's mobile carrier being one that hasn't properly protected users' voicemail accounts from unauthorised access.
In the scenario described here, a chap named “Slashcrypto” notes that in his home country, T-Mobile is one such carrier and a default voicemail configuration would leave someone open to attack.
The other prerequisite is that the attacker can spoof the number a call is apparently coming from – but that's no great challenge, since common VoIP systems like Asterisk let an admin set any “from” number they like.
Given that, the post says it's possible to take over a target's Netflix account using a pretty simple attack flow:
- Start at the Netflix “password reset” screen (with the victim's account ID), and enter their phone number for an automated callback;
- Place a call to the victim, so the auto-call redirects to voicemail;
- Spoof the victim's caller ID to get voice mailbox access, and play the security code.
Netflix's mitigation was pretty simple: the user has to press a key to continue. That way, the autocall can't land in their voicemail.
In putting together his demo, Slashcrypto notes work by Australian pentester Shubham Shah in 2014. ®