Netflix API Developer Blog

As the OAuth community and other news outlets are reporting, a security exposure has been identified with the OAuth protocol’s application authorization process we use to allow third-party applications to access the Netflix service on a subscriber’s behalf. 

The Netflix website and our partner movie players (listed here) do not utilize OAuth and are therefore unaffected by this vulnerability.  Netflix javascript widgets on sites like The New York Times and Rotten Tomatoes are also unaffected.

After examining the threat in the context of the API capabilities we provide, we’ve determined that the risk is not substantial enough to suspend our OAuth support at this time.

We have taken steps to minimize the risk to our subscribers by minimizing the validity period of OAuth request tokens which makes the attack more difficult to orchestrate.  We have also added a warning to our OAuth application authorization page to warn subscribers about the potential risk and help them identify if they are taking part in a compromised authentication session.  In the coming days, we’ll continue to work with Mashery and the OAuth community to resolve the exposure.

More information on this issue is available at the OAuth website.  We will notify the developer community via this blog if our policy on this issue changes as well as any modifications to our OAuth support.