[38652] in bugtraq
Netflix Site may assist Phishing
daemon@ATHENA.MIT.EDU (Sara Togian)
Thu Apr 28 16:33:55 2005
Message-ID: <9296b1f805042806478c7f268@mail.gmail.com>
Date: Thu, 28 Apr 2005 09:47:49 -0400
From: Sara Togian <saratogian@gmail.com>
Reply-To: Sara Togian <saratogian@gmail.com>
To: bugtraq@securityfocus.com, abuse@netflix.com
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Hello,
Similar to the previously discussed issues with the eBay and Capital
One website, Netflix also has a redirect which can assist phishing.
https://www.netflix.com/redirect.jsp?target=http://dummy.site.com/
Or, it can be made even more obscure:
https://www.netflix.com/redirect.jsp?target=%68%74%74%70%3A%2F%2F%67%6F%6F%67%6C%65%2E%63%6F%6D%2F
I have not yet seen phishing emails to Netflix, but since they do have
credit card info, I can't see them not occuring at some point. In
either case, it's a major website with a silly issue. As well, it can
look even more valid as it is a link to a secure site.
History:
Netflix was notified on Wednesday April 20, 2005. I got a form letter
back, no other response, and the issue is still there.
I again tried Netflix on 4/25. Customer Service response that the
email is being sent to the proper department. Issue still there.
4/28, I figured this was enough time for a fix or a response from the
"proper department" and reported the issue to BugTraq. Not fixed at
time of sending this.
Regards,
KM
