The Inquirer-Home

Netflix lets backend get hacked to explore future features

But there's bad guys looking to take advantage of the service, too
Fri Feb 28 2014, 16:53
netflix-logo

VIDEO STREAMING SERVICE Netflix has opened its backend to its engineers for a "hack day", where the developers can experiment on integrating unique features for potential future updates.

One of the prospective features detects when your eyes are open or closed and pauses playback when you fall asleep, while another solves the problem of using your Netflix account at your friends' pad without the kerfluffle of having to log in and out.

"For Hack Day, our primary goal is to provide a fun, experimental, and creative outlet for our engineers," Netflix said in a blog post. "Most teams started hacking on Thursday morning, hacked through the night, and they wrapped up by Friday morning to present a demo to their peers."

Apparently, Netflix holds this hack day regularly, but this time decided to share it with the public due to "some really spectacular work".

"The hackers generated a wide range of ideas on just about anything, including ideas to improve developer productivity, ways to help troubleshooting, funky data visualizations, and of course a diversity of product feature ideas," Netflix said. "These ideas get categorised, then to determine the winner for each category the audience of Netflix employees rated each hack, in true Netflix fashion, on a 5-star scale."

Netflix shared its favourite hacks in a couple of Youtube videos, most of which were conceived within 24 hours.

The most notable is probably the sleep tracking feature, which allows users to choose a "resume from sleep bookmark" when watching a TV show they fell asleep watching at an earlier time.

Netflix Beam was another exciting and probably more realistic idea, which involved the use of Bluetooth LE to securely transfer accounts from one device to another without requiring a log in and out cycle. See video below.

Netflix said that although these ideas might seem somewhat promising, they might never become part of the Netflix product or internal infrastructure, or be used beyond its hack day.

Although this hack day was for the good of Netflix, just today security website Malwarebytes reported a threat that sees bad guys using the service to exploit users.

"I came across what I first thought was a typical phishing scam targeting Netflix...until I realised it wasn't, or at least that there was something more to it," said Malwarebytes security researcher Jerome Segura in a blog post. "Of course it stole my credentials."

The phishing scam displays a message saying that the user's account had been suspended and in order to fix the issue you are urged to call Netflix at a 1-800 number that isn't the real Netflix hotline.

"Once I called the number, the bogus support representative had me download a 'NetFlix Support Software'," said Segura.

"After remotely connecting to my PC, the scammer told me that my Netflix account had been suspended because of illegal activity. This was supposedly due to hackers that had infiltrated my computer as he went on to show me the scan results from their own 'Foreign IP Tracer', a fraudulent custom-made Windows batch script."

The bogus phone operator said that letting a Microsoft Certified Technician fix Segura's computer was the only way to resolve the issue, where he drafted him a quick invoice with a $50 Netflix coupon, which was of course fake, before he was transferred to another technician.

"During our conversation, the scammers were not idle. They were going through my personal files and uploading those that looked interesting to them, such as 'banking 2013.doc'," Segura said.

"Another peculiar thing is when they asked me for a picture ID and a photo of my credit card since the Internet is not secure and they needed proof of my identity. I could not produce one, therefore they activated my webcam so that I could show said cards to them onto their screen."

Segura ended it there because his camera was disabled by default, but he said that information gathered from the Teamviewer logfile showed the scammers were actually located in India.

"This was a clever plan which not only is about stealing money for bogus services but also about identity theft by gathering personal details from the victim [such as] photo, name, email, address, password," he added. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?