Skip to content

Instantly share code, notes, and snippets.

@gregglind

gregglind/NextflixPartyExtensionPrivacyAnalysis.md

Created March 23, 2020 15:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gregglind/d47e6880336b78547857725eb14b9435 to your computer and use it in GitHub Desktop.
Save gregglind/d47e6880336b78547857725eb14b9435 to your computer and use it in GitHub Desktop.
Download ZIP
Netflix Party Extension Privacy Analysis
Raw
NextflixPartyExtensionPrivacyAnalysis.md

Analysis of Netflix Party Chrome Extension

Bottom line.

You should trust the Netflix Party Chrome Extension as much as you trust a random programmer in Philadelphia [1][Sharya], who hosts the NextflixParty.com site.

Details

What is Nextflix Party Chrome Extension?

An extension that facilitates chat during a Neflix Party, the feature from Netflix for viewing synchronization.

What gets collected.

The addon sends data to NextflixParty.com and Google Analytics servers.

By using this extension, NetflixParty.com would have this infomration:

  • the contect of your chats in the extensions
  • information that ties your IP address to your self-described name.
  • IP or other connection information (headers) for your viewing party friends.
  • the Google Analytics data below

Google and Google Analytics would have:

  • Extension installation and update events (aggregate).

Editorial:

  • This seems like a minimal set of information necessary to provide the service.

  • Nothing else in the code seems unusual, obfuscuated, or malicious.

  • I would feel better if this was hosted through Netflix.com directly.

Analysis Methods

Download the Extension to analyze.

Canonical url: https://chrome.google.com/webstore/detail/netflix-party/oocalimimngaihdkbihfgmpkcpnmlaoa?hl=en

How to download crx: https://stackoverflow.com/questions/7184793/how-to-download-a-crx-file-from-the-chrome-web-store-for-a-given-id/22191655#22191655

I used: https://chrome-extension-downloader.com/ Trust my results at your peril.

(The python script is more trustworthy.)

Unpack the downlaoded crx file.

tar xzf Netflix-Party_v1.7.7.crx

Specific Source File Reviews

background.js

Sends data to:

  • Google Analytics. Tracks installs, updates of the extension.
  • NetflixParty: "https://data2.netflixparty.com/log-event"
  • creates a random user id, via https://data2.netflixparty.com/create-userId.
  • Stores generated id to browser local storage

content_script.js

popup.html

"Share the url below". Requires the user to share the url "out of band" via messenger or other technique.

files list

.
├── README.md
├── _locales
│   └── en
│       └── messages.json
├── _metadata
│   └── verified_contents.json
├── background.js
├── content_script.js
├── icon.png
├── iconx300.png
├── img
│   ├── Alien.svg
│   ├── Batman.svg
│   ├── ChickenLeg.svg
│   ├── Chocobar.svg
│   ├── Cinderella.svg
│   ├── Cookie.svg
│   ├── CptAmerica.svg
│   ├── DeadPool.svg
│   ├── Exit-Unhover.svg
│   ├── Goofy.svg
│   ├── Hamburger.svg
│   ├── IceCream.svg
│   ├── IronMan.svg
│   ├── Link.svg
│   ├── Mulan.svg
│   ├── Pizza.svg
│   ├── Poohbear.svg
│   ├── Popcorn.svg
│   ├── Sailor\ Cat.svg
│   ├── Sailormoon.svg
│   ├── Snow-White.svg
│   ├── Wolverine.svg
│   ├── edit.svg
│   ├── hide.svg
│   ├── hidebtn.svg
│   ├── hotdog.svg
│   └── refresh.svg
├── jquery.js
├── manifest.json
├── normalize.css
├── old_content_script.js
├── popup.css
├── popup.html
└── popup.js

About NextflixParty.com

# whois.gandi.net

Domain Name: netflixparty.com
Registry Domain ID: 1989684435_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2019-11-10T05:12:25Z
Creation Date: 2015-12-25T19:53:38Z
Registrar Registration Expiration Date: 2020-12-25T19:53:38Z
Registrar: GANDI SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Reseller:
Domain Status: ok http://www.icann.org/epp#ok
Domain Status:
Domain Status:
Domain Status:
Domain Status:
Registry Registrant ID:
Registrant Name: Shaurya Jain
Registrant Organization:
Registrant Street: 4047 Irving Street
Registrant City: Philadelphia
Registrant State/Province: Pennsylvania
Registrant Postal Code: 19104
Registrant Country: US
Registrant Phone: +1.8184066164
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: e8ca81787fafac93f188c62b260f1442-6082292@contact.gandi.net
Registry Admin ID:
Admin Name: Shaurya Jain
Admin Organization:
Admin Street: 4047 Irving Street
Admin City: Philadelphia
Admin State/Province: Pennsylvania
Admin Postal Code: 19104
Admin Country: US
Admin Phone: +1.8184066164
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: e8ca81787fafac93f188c62b260f1442-6082292@contact.gandi.net
Registry Tech ID:
Tech Name: Shaurya Jain
Tech Organization:
Tech Street: 4047 Irving Street
Tech City: Philadelphia
Tech State/Province: Pennsylvania
Tech Postal Code: 19104
Tech Country: US
Tech Phone: +1.8184066164
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: e8ca81787fafac93f188c62b260f1442-6082292@contact.gandi.net
Name Server: LIA.NS.CLOUDFLARE.COM
Name Server: VICK.NS.CLOUDFLARE.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2020-03-23T13:56:25Z <<<

Footnotes

[Sharya]: Shaurya Jain. https://www.linkedin.com/in/shauryarjain/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment