OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Netflix Site may assist Phishing

From: Sara Togian (saratogiangmail.com)
Date: Thu Apr 28 2005 - 08:47:49 CDT


Hello,

Similar to the previously discussed issues with the eBay and Capital
One website, Netflix also has a redirect which can assist phishing.

https://www.netflix.com/redirect.jsp?target=http://dummy.site.com/

Or, it can be made even more obscure:

https://www.netflix.com/redirect.jsp?target=%68%74%74%70%3A%2F%2F%67%6F%6F%67%6C%65%2E%63%6F%6D%2F

I have not yet seen phishing emails to Netflix, but since they do have
credit card info, I can't see them not occuring at some point. In
either case, it's a major website with a silly issue. As well, it can
look even more valid as it is a link to a secure site.

History:

Netflix was notified on Wednesday April 20, 2005. I got a form letter
back, no other response, and the issue is still there.

I again tried Netflix on 4/25. Customer Service response that the
email is being sent to the proper department. Issue still there.

4/28, I figured this was enough time for a fix or a response from the
"proper department" and reported the issue to BugTraq. Not fixed at
time of sending this.

Regards,
KM