Cookies originally were tiny text files that stored information about you and what you do when you visit a web page. While this was a useful concept, it was prone to security attacks. To prevent such attacks, companies started encrypting the data stored in cookies. But there is only so much data a webpage can store locally on a computer, so cookies evolved into being a kind of an ID. These IDs help websites provide users with a personalized experience. A cookie would contain a string that would uniquely identify you as a user, which you send back to the webpage’s servers while making a request. If you have the ID, you can impersonate someone on the internet, for the webpage the cookie was issued to. Over the years, cookies have been protected by highly sophisticated data encryption methods, making it harder for hackers to access valuable user information.
Cookies also help you retain your login information, to save you the hassle of authenticating yourself with every link you click. Even if you close the tab and reopen it, you may not have to sign in again, as a session cookie comes to your rescue. In some cases, the cookie persists even after you close your browser or shut down your computer for a certain period giving form to a “persistent” cookie. Netflix uses persistent cookies that expire only after a year unless you manually log out or manually clear your browsing data.
Most persistent cookies don’t contain any account-related information, such as email IDs, usernames, or passwords. So what went wrong for Netflix? The developers at Netflix have not committed the heinous crime of storing sensitive data in these cookies. But what they have done bypasses the need for authentication completely. It means that any person with the cookie, regardless of its device of origin would be verified to be signed in, and someone’s account is now compromised.
How simple is this procedure? As simple as taking the cookie in plain text, importing it into the browser, and going to the target webpage. After the cookie data is imported, almost complete access to the victim’s credentials can be obtained in Netflix, from the ability to change the email ID and password to log the original user out of their devices. So how do you get this content of the cookie, the precious string so vital to the success of this operation?
Netflix, rather shockingly, dismisses this issue as a client-side concern, stating that there’s nothing they can do about it, and consider it out of their scope. The statement reveals the questionable principles on which the product is designed. Imagine if Google came up to you and said that anyone around the world could access all your emails? Sounds disastrous, right? It also seems downright silly. What’s the point of buying a password protected premium account when you can use it for free?
A ridiculously large number of internet users remain gullible to basic attacks, including simple phishing. Some more involved methods of getting the cookie would be through cross-site scripting or a man-in-the-middle attack. Netflix also provides support for older devices, which may not use software with the same security features as newer ones. Another possible domain to exploit could be from the users who use their accounts only on a Smart TV, where the UI is rather dodgy, and people don’t tend to check for the safety of their accounts. These exploits are not restricted to Netflix, but almost any website. A smart attacker could take the cookie from a careless user and use their account for free.
The security problem doesn’t end here. Netflix supports some older web browsers common among Windows 7 operating systems. These browsers lack some of the more recently updated cookie security flags that could help prevent cookie theft. The scary part is that the lack of cookie security is not restricted to a Netflix account. In 2018, Facebook was exposed to a similar cookie stealing malware threat. While cookies help simplify our lives and improve the experience of an end-user, this improvement comes at the cost of privacy.
So is Netflix to blame (or not)? While protecting cookie data is indeed an end-user concern, the developers could lock on the cookie ID with something local to the device, such as its MAC address. This would prevent the hacker from gaining access to an account with a cookie meant for another device. While reusing accounts in this manner is a violation of Netflix’s Terms of Service, who reads those anyway?
Once the snitched string is in your hands, you have but unlimited power. You can take the cookie from your end and share it with all your friends, resulting, in theory, in one account for all. Your cookie, and hence, your account can be used by a shady baguette maker in France or a grammar schoolboy in Venezuela to view any content of their liking. To do this myself, all I need to do is to be a backend pro and set up my browser to take in the new cookie. Right? Wrong! All you need is a simple browser extension or add on which manages to import the cookie and set you up (though you really should be capable of doing this by yourself if you can steal a cookie). When the browser eats the cookie, all you need to do is refresh your page, tune in to your favourite show and grab a packet of cookies yourself—all for free.