When Netflix's NFTs Forget Web2 Business Security

Netflix Netflix is ​​a video entertainment service company with a market value of 80 billion US dollars, and has 222 million paid members in more than 190 countries/regions. How can such a giant let go of the web3 outlet?

Therefore, under the recent popularity of X2earn, he also creatively created a Watch to Eran

Official entrance: https://lovedeathandart.com/

Probably a QR code will randomly appear when members are reading the video. After combining with the user's Ethereum address, the official will sign the information, and the user will get a signature value, and with this value, you canIn the NFT contract officially released by netflix, casting an nft, as shown in the figure, is very good in aesthetics and combined with a stable economic model, perhaps it is a top-notch project like running shoes!

So at the beginning, everyone wanted to make a wave of members, come and watch 2 eran slowly

However, I never imagined that the process of getting the official signature was completely unprotected!

At the beginning of the event, when the web3 scientists were full of excitement and trembling hands to grab the package and waited until they received the QR code, they were surprised to find that the original scan code signature does not need to be authenticated with the web2 account, and there is no risk controllogic???

Just construct the following request and write your own Ethereum address and serial number in the target

The mac system can be issued directly on the command line, and the window system can use postman and other request package building tools to issue this request.There will be a signature in the returned information.

Then go to the official contract address

https://etherscan.io/address/0xfd43d1da000558473822302e1d44d81da2e4cc0d#writeContract

Write, write a data value at will (it is not verified in the contract), and the corresponding serial number, you can mint.

And a few hours later, some students made a one-click script to further reduce the difficulty of operation.

Because the cost of obtaining this nft is too low, under the current gas cost of 20wei, there have been 5W transactions as of 5.20-9 o'clock, most of which are mint operations.Of course, after the bug occurs, the price of this nft will not be too high, and everyone is equivalent to participating in the experience and playing

But for Netflix, an idea that might rival stepn was blown up in the most basic web2 business process.

Although in a sense, the spread of this bug seems to be completely beyond the planning of the event itself..

Interpretation from a security perspective

1: It belongs to the standard design mode. It is combined with the signature verification method of eip1271 to determine the eligibility for the whitelist. 1271 is designed for signing contracts. The specified isValidSignature can set any signature verification logic, such as supporting single signature, multiple signaturessignature, threshold signature, etc.

If such signature verification is not performed, how to control the mint whitelist in this activity is a high cost issue.

Because the event itself is to motivate users to continue watching,

If the accumulated whitelist merkle tree is rooted on the chain for a period of time, the user will be motivated and feedback will be longer

And if every time you get a user, you will be whitelisted once, which will cause high costs for the event party

2: Secondly, the contract will also include the serial number of this wallet address into hasMinted to prevent replay, and the method is to modify the permissions first and then operate mint, which is also in place.

web2

But from the point of view of web2, the cost of breaking through the link in which he obtains the official signature is almost zero.This can be compared to the traditional web2 marketing and issuing coupons, which has always been a big challenge for enterprises.

The author has been engaged in web2 business security risk control for 5 years. Out of professional habit, I also add web2's easy-to-use security protection countermeasures.

The core is a system that relies on a sound account security system, a comprehensive blacklist database, and a real-time confrontation strategy.

A robust web2 marketing anti-cheating scenario protection requires 4 major steps:

1: Business Risk Assessment = Product Logic Data Embedding Embedding Processing Dynamic Embedding Confrontation

2: Offline Strategy Modeling = Strategy R&D Validation Online Evaluation

3: Continued confrontation on the existing network = strategy grayscale strategy monitoring strategy iteration dynamic attack and defense customer complaint feedback black product intelligence

4: Confrontation of decision-making and disposal = timely blocking of behavior, human-machine verification, identity verification

It is highly dependent on the quality of black data, which is the basis of cost confrontation. The core includes device fingerprint library, IP portrait library, mobile phone portrait library, account portrait library, etc.

Finally, the continuous algorithm strengthens policy detection, such as anomaly detection, gang detection, behavior detection, etc.

Anyway

The foundation of web2 is not lost to the glory of running shoes. Web3 is a marketing tool but it is not an independent ecology. In the long run, it will coexist with many infrastructures of web2.