Stand with Ukraine
Business Insights · July 15, 2019 · Stanislav Zayarsky · 2,515 views

“Netflix Hangouts” Google Chrome Extension, what if it is a blackmail application?

“Netflix Hangouts” Google Chrome Extension, what if it is a blackmail application?

Back in 2019, a Chrome extension made the rounds for one cheeky reason: it let you watch Netflix at work while pretending to be stuck in a video call. It was called Netflix Hangouts, built by the internet-mischief studio MSCHF, and it did exactly what it promised — one click turned your show into the bottom-right tile of a fake four-person conference call, complete with three “colleagues” nodding along. Social media loved it. Thousands of people installed it within a week.

It’s a great gag. It’s also a perfect teaching example for something far less funny: how much trust you hand over every time you install a browser extension — and how easily that trust could be abused.

The harmless-looking install that asks for a lot

Here’s the part most people clicked straight past. To work, Netflix Hangouts asked permission to “Read and change your data on all netflix.com sites.” For this particular extension, that’s a reasonable request — it has to manipulate the Netflix page to pull off the disguise. MSCHF is a known creative studio, not a criminal operation, and there’s no evidence the extension did anything malicious.

But sit with that permission for a second. Read and change your data. On the site holding your account, your viewing history, and your billing relationship. You granted that to a novelty tool you installed because it was funny on Twitter. Now imagine the same gag, the same install flow, the same delighted social-media buzz — built by someone whose intentions weren’t kind.

How the same idea becomes a shakedown

Picture a malicious clone. It works perfectly as advertised, so you never suspect a thing. Quietly, in the background, it collects what it can reach: your Netflix account details, the times of day you fire it up, the specific shows you watch, and — through other permissions you waved through — your approximate location.

That data alone is enough to build a profile. Cross-reference an email or name against LinkedIn and the picture sharpens fast: where you work, who your manager is, who sits next to you. Now the pieces are in place for a clean little extortion play: transfer $500 to this Bitcoin wallet, or we tell your boss and your team exactly how you spent Tuesday afternoon — with timestamps. And if the extension also requested camera access, the threat can come with a still frame from your own webcam during one of those “meetings.”

Would people pay? Plenty would, just to make it disappear. That’s the entire business model of extortion — it doesn’t need to be true to everyone, only frightening enough to enough people.

Why this is more than a 2019 curiosity

The specific extension is a relic now — Google’s consumer Hangouts product was retired, and Chrome’s extension rules have since tightened. But the underlying risk hasn’t aged a day; if anything, it’s worse, because we install more extensions than ever and read the permission prompts less. The mechanics are unchanged:

  • An extension’s permissions are the whole ballgame. “Read and change your data on a site” means it can see and alter everything you do there. Treat that prompt as the actual decision point, not a speed bump.
  • Popularity is not safety. A clever, viral extension earns trust it hasn’t necessarily proven. Malicious actors specifically clone or buy popular extensions because the install momentum is already there.
  • Legitimate extensions get hijacked, too. A trusted extension can be sold to a new owner or compromised, then pushed a malicious update straight to everyone who already installed it — no new click required.
  • The data is more linkable than you think. It rarely takes much — an email, a name, a location pattern — to tie an anonymous-feeling activity log back to the real, employed, blackmailable you.

How to actually protect yourself

A few habits that cost nothing and close most of the risk:

  • Read the permissions before you click Add. If a simple tool wants access far beyond its obvious job, that’s your signal to stop.
  • Audit what you’ve already installed. Open your browser’s extensions page and remove anything you don’t recognize or no longer use. Each one is standing access you’re still granting.
  • Prefer extensions with a real publisher, real reviews, and a privacy policy — and be extra wary of clones with names a hair off the original.
  • On managed work devices, leave extension policy to IT. That webcam-and-account exposure isn’t only your problem; it’s your employer’s.

And yes — maybe don’t install a tool whose core purpose is deceiving your employer and routing your account through an unknown third party. The joke’s funny. The permission grant isn’t.

Stay safe out there.

Stanislav Zayarsky
Written by Stanislav Zayarsky CEO

Related Articles

HIPAA-Grade Telehealth: From MVP to Audit-Ready – 2026

HIPAA-Grade Telehealth: From MVP to Audit-Ready – 2026

Many platforms claim ‘HIPAA-compliant.’ Very few are audit-ready. The telehealth market has exploded. By 2026, platforms face a fundamental credibility problem: everyone claims HIPAA compliance, but when regulators come knocking, or breaches occur, the difference between documentation theater and audit-ready infrastructure becomes brutally apparent. A checkbox on a security questionnaire and genuine regulatory readiness are […]

04.03.2026
WebRTC for Rural Telemedicine: Low-Bandwidth Architecture Patterns

WebRTC for Rural Telemedicine: Low-Bandwidth Architecture Patterns

How to design real-time video consultation systems that work reliably under constrained network conditions Reliable internet connectivity is a luxury that many rural and remote communities often lack. Yet, these are often the populations with the greatest need for healthcare access — individuals who may have to travel hours to reach the nearest clinic. Telemedicine […]

05.03.2026
VR in Telemedicine: Where It Actually Works Today

VR in Telemedicine: Where It Actually Works Today

Virtual reality has been described as the future of medicine for nearly a decade. The pitches are compelling: immersive surgical simulations, VR-assisted pain management, remote consultations so lifelike they rival an in-person visit. The reality, as with most emerging technology in healthcare, is more nuanced. VR is not the future of telemedicine. In specific, well-defined […]

05.03.2026
Emotion Detection in Telehealth Calls: Useful or Hype?

Emotion Detection in Telehealth Calls: Useful or Hype?

Artificial intelligence that can read a patient’s emotional state during a telehealth consultation sounds either like a breakthrough or a surveillance concern, depending on who you ask. Proponents describe a near future where AI assistants flag signs of depression before a clinician notices them, alert providers to patient distress in real time, and generate post-consultation […]

06.03.2026
SwiftUI vs React Native for Healthcare Video Apps

SwiftUI vs React Native for Healthcare Video Apps

Choosing the right mobile framework for a healthcare video application is one of the most consequential technical decisions your product team will make. Get it right, and you have a stable, performant foundation that can support live video consultations, real-time diagnostics, and strict compliance requirements for years. Get it wrong, and you face costly rewrites, […]

06.03.2026
AI Video Enhancement for Telehealth: Improving Low-Bandwidth Consultations

AI Video Enhancement for Telehealth: Improving Low-Bandwidth Consultations

Telehealth has become a cornerstone of modern healthcare delivery. Since the pandemic accelerated its adoption, millions of patients worldwide now rely on video consultations for everything from routine check-ups to specialist referrals. Yet one persistent challenge continues to undermine the quality of these interactions: poor video quality caused by low or unstable internet connections. Pixelated […]

08.05.2026
The Healthcare WebRTC Testing Stack: How to Catch Quality and Compliance Failures Before Your Auditor Does

The Healthcare WebRTC Testing Stack: How to Catch Quality and Compliance Failures Before Your Auditor Does

Most WebRTC testing content covers one problem: Does the call work? Functional tests, load tests, and network simulation — the engineering discipline of verifying that audio and video flow reliably between participants. In healthcare, that’s half the job. The other half is compliance: does the call handle PHI correctly? Does your recording pipeline store data […]

08.05.2026
Why Telehealth Platforms Are Quietly Moving Beyond WebRTC

Why Telehealth Platforms Are Quietly Moving Beyond WebRTC

A protocol transition is coming in real-time communications, and most telehealth engineering teams haven’t begun thinking about it yet. That’s understandable — WebRTC still works, your stack is stable, and there are always more urgent things to build. But the decisions telemedicine CTOs make about protocol architecture in the next 12–24 months will determine how […]

08.05.2026
What Telehealth Platforms Miss About Call Quality Monitoring

What Telehealth Platforms Miss About Call Quality Monitoring

Most telehealth engineering teams know their platform is “up.” What they don’t know — until a clinician files a complaint or a patient drops off mid-visit — is whether it’s working well. The gap between “the server is running” and “calls are clinically usable” is where telehealth quality problems live. WebRTC quality is inherently variable: […]

08.05.2026
Ready to start?

Let Us Work Together

Tell us about your project and we'll get back within 24 hours.

Get in Touch