Direct URL / Deep Link
Weight 3Can mature content be accessed via direct URL?
Test ID: DU-01 · Learn how scoring works
CRITICAL VULNERABILITY: Netflix has a two-tier protection model. Kids profiles (dedicated Netflix Kids experience) block direct URL access server-side. However, standard profiles with maturity restrictions (TestChild12 TV-PG, TestTeen16 TV-14) only filter the UI layer (search/browse) - direct URL access completely bypasses maturity filtering. A child with a TV-PG-restricted standard profile can view the full DAHMER detail page including TV-MA rating, violent content descriptions, episode listings, and access the Play button. The maturity restriction on standard profiles is a UI-only filter, not a server-side access control.
CRITICAL VULNERABILITY: Netflix has a two-tier protection model. Kids profiles (dedicated Netflix Kids experience) block direct URL access server-side. However, standard profiles with maturity restrictions (TestChild12 TV-PG, TestTeen16 TV-14) only filter the UI layer (search/browse) - direct URL access completely bypasses maturity filtering. A child with a TV-PG-restricted standard profile can view the full DAHMER detail page including TV-MA rating, violent content descriptions, episode listings, and access the Play button. The maturity restriction on standard profiles is a UI-only filter, not a server-side access control.
CRITICAL VULNERABILITY: Netflix has a two-tier protection model. Kids profiles (dedicated Netflix Kids experience) block direct URL access server-side. However, standard profiles with maturity restrictions (TestChild12 TV-PG, TestTeen16 TV-14) only filter the UI layer (search/browse) - direct URL access completely bypasses maturity filtering. A child with a TV-PG-restricted standard profile can view the full DAHMER detail page including TV-MA rating, violent content descriptions, episode listings, and access the Play button. The maturity restriction on standard profiles is a UI-only filter, not a server-side access control.
Direct URL to Yellowstone (TV-MA) on Kids profile shows 'Please switch to a non-kids profile to view this content' with profile picker showing all profiles including Adult. Content existence is revealed and zero-auth profile switching is available directly from the block page.
Same 'Please switch to non-kids profile' block with profile picker
Direct URL to Yellowstone (TV-MA) shows full detail page with all metadata. Same as search discovery — full access to everything except playback.
Direct URL to The Boys (TV-MA) detail page shows 'Age restricted video — This video is unavailable in kids profiles.' No content details exposed.
Same 'Age restricted video' block on direct URL
Direct URL to TV-MA content shows full detail page with metadata. Playback is PIN-gated. Same behavior as search discovery.
Lower scores are better. 0 means the platform fully blocks the attack vector. The category score shown on each card is the worst (highest) score across all profiles.