Netflix

 Netflix has come a long way from just renting out DVDs via post. We all enjoy the slick interface and smooth playback it has to offer.

Under the hood everything ticks along to provide an enjoyable service. And a good one at that. One thing it also provides is subtitles to the movie you watch, some at least. If only those where kept under wraps too.
Fig. 1. My keyword search for 'towels' as seen in film
As can be seen in fig. 1, via tcpdump, the subtitles of my selected movie (find out which one it is and leave a comment), shown on my iPad, can be seen quite clearly. This brings up a number of privacy concerns for anyone enjoying a Netflix movie with subtitles enabled. As can be seen it is possible to clearly pick out what movie or TV series I was watching. This information could be used in phishing and even social engineering attacks since the traffic is sent over HTTP instead of HTTPS.

I first noticed this issue in Jan 2014 and put out a tweet about it https://twitter.com/kxynos/status/423577905877512192. I see that the Netflix application with version 5.2.0-release-327 still has this issue. I have not tested any other applications or the web application that are part of the Netflix suite. We can only hope that Netflix fixes this issue soon.

I wonder if you could intercept the traffic and alter the words. I wonder if there is anything else that could be sent to the poor iPad application. I guess that is one for mobile app testers to find.


*Image from : http://www.bandwidthblog.com/2013/10/11/rumour-telkom-might-bring-netflix-to-sa/