"AppSec Notes
complains that Netflix has not fixed all of their CSRF vulnerabilities.
You can no longer access account information, billing information,
change shipping address, or anything of value, but you can still add
movies to someone’s queue. This apparently still bothers the author who
has a note of annoyance that Netflix hasn’t completely fixed everything
yet. I think this loses sight of realistic business goals of security-
from an enterprise perspective one addresses security vulnerabilities
in order to protect revenue or prevent damage. It is a cost benefit
analysis, weighing whether allocating resources to address a particular
vulnerability allows the greatest capitalization of those resources.
I’d posit that Netflix does not believe preventing CSRF attacks that
add movies to the top of a queue to be the most effective use of those
development resources. When looking at the impact and likelihood of
this sort of CSRF attack the associated risk comes out quite low"
Read more: http://www.analyticalengine.net/archives/102
