Credit: Yunus ÇADIRCI
CORS misconfiguration in the DIAL protocol allows for video playback on a local device
A user accessing a crafted URL on a device, while on the same network as a DIAL-compatible device (TV), would issue a video playback request. If an application is open to playback requests, the device will play the video on the application. The issue has no impact on the confidentiality, integrity, and availability of the application.
Applications that do not use DIAL for playback requests are not vulnerable to this issue, such as the Netflix application in its current and previous versions.
The DIAL protocol from version 1.7.2 onwards performs a CORS check which needs to validate the origin header. The DIAL protocol trusts the local browser for the CORS access policy. CORS check is performed on the Origin header but can be bypassed using the FTP protocol being used inside of the iframe.
The attacker needs to be on the same network as the device and know the IP address of the device. The attacker would need to craft a CSRF payload for the vulnerable application for that particular device to execute the attack.
The CORS issue is fixed in the Version 2.2.1 of the DIAL protocol. This issue was addressed in PR and a new release with the fix was created on 31 August 2020. Please, upgrade your DIAL implementation to the new version.
View in-repo security advisory: https://github.com/Netflix/dial-reference/security/advisories/GHSA-362f-99gx-8hv4