This article originally appeared on VICE UK.
This week, like usual, we, VICE UK, hosted a Netflix Party for the fifth edition of our weekly Corona Film Club series. For those who haven’t been involved, we screen a film every Wednesday, chat along with the readers and post the responses in a follow-up blog the next day. Anyway: this time we were hacked.
Halfway through our viewing of Shrek the Third, the film disappeared and was replaced by a looping one and a half minute Dailymotion video that implored viewers to write to their local MP to appeal against the UK-US extradition of WikiLeaks founder Julian Assange. Shrek never returned. The video – which began with 2010 Wikileaks footage showing a US air crew shooting down Iraqi civilians and ended with a 2019 news clip of Assange being dragged out of the Ecuadorian embassy – played again and again. There's a screenshot above.
It was very bizarre. But this isn’t the only time Netflix Party has been targeted with the same video. UK indie band Glass Animals encountered a similar video when they hosted a Netflix Party on 5th April. “I don't know exactly what happened, but we were watching Spirited Away for our weekly cinema club, got five minutes in, then the whole website glitched and went to a Dailymotion site just playing some of Julian Assange's WikiLeaks videos. On repeat,” Glass Animals singer Dave Bayley told us.
Twitter user @chachisays also seems to have come across the same video at their Netflix Party on March 21. They tweeted: “15 minutes in and I got redirected to an ad telling me to contact my MP to stop extradition on Julian Assange…”
The Wikileaks video we encountered in VICE’s viewing party of US troops shooting Iraqi civilians was released in full-length form on 5th April, 2010 – exactly ten years before Glass Animals hosted their viewing party. VICE has reached out to Wikileaks for comment.
Like video apps Houseparty and Zoom, Netflix Party has been touted by publications like the New York Times and the Guardian as a communication lifeline for those in lockdown during the pandemic. But the widespread adoption of new platforms rarely goes as planned: random users can pop up uninvited on Zoom chats – a practice known as Zoombombing – and the same goes for Houseparty.
VICE has seen several reports from Netflix Party users who say their private viewing sessions were interrupted by strangers who proceeded to send threatening messages using the app’s chat function. Asli Ali, 18, was watching You Get Me – a 2017 thriller film starring Bella Thorne as an emotionally disturbed stalker – when “toward the end of the film an unknown user who hadn’t joined the party previously began typing”.
Netflix Party usually alerts everyone when someone new joins the group, but this time it didn't. The user sent a message to the group that said “the next victim”. They then alluded to the film's plot and referred to themselves as Bella Thorne’s character.
“Everyone else was in the party already, so they couldn't have been pranking us,” says Asli, who explains their Netflix Party link was private and hadn’t been shared with anyone beyond those already in the virtual room, and that "the next victim" message just popped up. “It doesn't add up and it left me and my friends on a call for hours trying to figure out who it was.”
Georgia Weidman, a cybersecurity expert and author of A Hands-on Introduction to Hacking, told VICE that we’re seeing more of these hacks because the numbers of users on these platforms have increased exponentially. “There were always attackers attacking online meetings, mobile devices, etc. but now that’s where the most users and the most sensitive data can be found.”
“Combine the amount of growth these apps are getting and the state of the economy and how much security budgets are being slashed right now, and I find it impressive that Zoom has been able to respond as well as they have to the security issues that have been raised. It seems it’s now Netflix Party’s turn to beef up their security and privacy program.”
When VICE reached out to Netflix Party, they said they were taking steps to repair the situation. A spokesperson told us that they have identified the issue and have posted a fix in the most recent update (V.1.7.9) to Netflix Party: “It may take a few days for Google to review the extension, but the new version should automatically update and roll out in a few days.”