Security researchers have discovered a bug in Google Chrome that gives pirates a way to copy paid-for movies streamed from sites like Netflix and Amazon Video.
Movie streaming services rely on DRM (Digital Rights Management) technology to keep a lid on piracy by controlling how and where the TV and movies they distribute can be played.
Users are supposed to have the option to view the content as the vendor intended, or not at all.
According to Wired, users of Google Chrome have another option altogether though – protected content that’s streamed to the popular browser can be intercepted and copied as the bits and bytes flow between the browser’s CDM (Content Decryption Module) and media player.
When you want to play a DRM-protected movie, Chrome’s CDM asks the content provider for a license and then uses that license to decrypt the movie. The decrypted content is then sent to the browser’s media player where it’s turned into something you can actually watch.
The bug was apparently discovered about eight months ago by researchers David Livshits and Alexandra Mikityuk who reported it to Google on 24 May 2016.
Livshits and Mikityuk are keeping the precise details of the vulnerability under wraps for 90 days (a limit in line with the disclosure policy of Google’s own Project Zero.) The clock is ticking and there’s no patch yet but a spokesperson for the Mountain View search giant told Wired that it’s “examining the issue closely”.
Chrome uses DRM technology produced by a company Google acquired in 2010 called Widevine and the researchers suspect that the bug has existed for as long as the DRM technology has been part of the browser.
It’s possible that other browsers, even TVs and other devices, are vulnerable too.
Google Chrome is a packaged and lightly modified version of the open source Chromium project which also contains the vulnerable Widevine code. Chromium forms the basis of a number of other browsers, most notably Opera.
Widevine DRM technology has also been included in Firefox since 7 June and, according to the Widevine website, its DRM technology is deployed in over two billion devices such as TVs, set-top boxes and games consoles.
The researchers have so far restricted their investigations to Chrome and haven’t examined any other systems that use Widevine.
To demonstrate the flaw the researchers have written proof-of-concept code and produced a somewhat terse video of their software copying a streaming movie.
Andrew Ludgate
This is a tricky situation, because if Google just patches the Widevine code to fix the problem, they also have to prevent older versions of the browser from decrypting the streaming video. Since the problem here isn’t a third party attacker but is instead the users of the software, any real fix will have to include a protocol change that will break backwards compatibility. A 90 day timeline for this is an awfully tight window.
sidney
damn!!! nothing is safe anymore even they are able to fix the problem something else will eventually show its head!!!:(