Netflix Account Takeover Vulnerability
Netflix Account Takeover with Google Obscure Email Vulnerability
- Try the Netflix signup form until you get a gmail.com address which is already registered by some user, for example, you find the victim shaquibdexter.
- It's important to note that spelling out googlemail.com can also be interpreted the same as gmail.com.
- Create a Netflix account with address shaquib.dexter
- Sign up for a free trial with any card number (that card should be a throwaway card).
- When Netflix applies the active card check, cancel the card.
- Wait for Netflix to bill the canceled card. Then Netflix will email shaquib.dexter asking for a valid card.
- Hope that Dexter will read that email to dexter.weesely, thinking it's for his Netflix account backed by shaquibdexter, then enters his card **4567.
- Change the email for the Netflix account to email@example.com, kicking shaquibdexter's access to this account.
- Use Netflix free forever with his card **** 4567!
Bonus *Cybrary Mashup*So these are resources that @ichiroshiro shared with you:Books