Netflix took the video streaming industry by storm when it debuted Black Mirror: Bandersnatch last year. The “choose your own adventure” themed movie puts viewers in charge of the story and flow of the movie. The success of Bandersnatch even led to the creation of a second interactive show ‘You vs. Wild’ featuring Bear Grylls.
However, researchers from the Indian Institute of Technology, Madras, have found that the choices we make in such interactive videos aren’t exactly private. The team says that Netflix’s encrypted interactive video traffic can be analyzed to find out what users are watching and the choices they make in interactive videos.
In 2016, Netflix encrypted its video platform by adopting HTTPS, which makes it difficult for hackers to stage a “man in the middle” attack between Netflix’s servers and a viewer’s browser to track what they are watching.
But the attributes of encrypted video data can be used to analyze and fingerprint the video, users are watching on Netflix.
“Encryption may hide content, but it does not hide traffic patterns, and traffic analysis can reveal important secrets,” says the team from IIT Madras.
The research team found that at each decision branch in an interactive video, Netflix considers one of the options the “default,” (a choice) and the other as a backup.
Netflix then lines up the “default” video which is ready to play and sends a JSON file containing information about the viewer’s choice.
The team found that the characteristics of the pre-queued stream, JSON file size, along with a file header (SSL record length) can be used to determine user choices at each point of the video.
Analyzing data from 100 Netflix users, the researchers were able to predict the decisions correctly 96% of the time.
The research have alerted Netflix of this issue by submitting these findings to its bug bounty program. While the company acknowledges the validity of their findings, it says that “such an attack would be difficult to carry out in practice, because it requires access to network traffic for analysis.”
The video streaming platform also pointed out that a part of the data leak is due to the shortcomings of the encryption protocol which isn’t under Netflix’s control.
However, the researchers believe that Netflix could reduce data exposure by changing the way it compresses the JSON files — making it indistinguishable in the encrypted stream.