Valentina PalladinoSecurity researchers have discovered a vulnerability in the Google Chrome browser that could allow users to bypass itscopy protection system and download content from streaming video services like Netflix and Amazon Prime Video.
According to Wired, Google was alerted to the problem on May 24, but is yet to issue a patch.
The vulnerability centers around the Widevine digital rights management system—which Google owns and has implemented into Chrome—and specifically how it handles decryption of encrypted media streams. Widevine uses two pieces of tech to protect content: the encrypted media extensions (EME), which handle key exchanges and other high-level functions, and a content decryption module (CDM), which unscrambles encrypted video for playback in the browser.
Unfortunately for Google, the researchers discovered it’s possible to hijack the decrypted movie stream right after the CDM decrypts the film, before it’s displayed in the browser. With the right software—and let’s face it, it doesn’t take long for pirating software to appear following the discovery of a vulnerability—any user would be able to download streaming content for keeps.
However, the researchers have not disclosed exactly how the vulnerability is accessed, and will not do so until at least 90 days after its disclosure to Google. 90 days is the minimum that Google’s own security researchers give vendors to fix vulnerabilities they uncover before they disclose the bugs publicly.
For now, the researchers have released a video demonstrating the vulnerability in action.
A demo of the vulnerability.
Speaking to Wired, a Google spokesman noted that the company was examining the issue, but didn’t go as far as to say it would issue a patch, saying the problem is not exclusive to Chrome and could apply to any browser created from the open source code Chromium code.
“Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths,” he said.
While Google could patch the issue in Chrome, it would be entirely possible for an enterprising developer to go back to the source code, remove the patch, and then release a version of the browser with the vulnerability intact. Other browsers, including Firefox and Opera, also make use of the Widevine system, although they have not currently been tested.
“The simplicity of stealing protected content with our approach poses a serious risk for Hollywood [studios] which rely on such technologies to protect their assets,” the researchers said.
This post originated on Ars Technica UK