A flaw in Google Chrome has opened the door to pirates bent on copying paid-for movies streamed from sites like Netflix and Amazon Video.
Independent researchers David Livshits from the Cyber Security Research Center at Ben-Gurion University in Israel and Alexandra Mikityuk with Telekom Innovation Laboratories in Berlin, Germany, reported the flaw to Google on May 24, providing a written proof-of-concept code and a video showing the software copying a streaming movie.
Digital rights management and watermarking technology are generally employed to keep pirates from cloning or hijacking copyrighted video content. But the Chrome browser's implementation of DRM leaves a loophole that allows streams to be intercepted and copied.
Chrome uses a content decryption module (CDM) that interacts with DRM, verifying licenses and effectively forming a handshake that decrypts the content and allows the movie or TV show to start streaming if the user is authorized. The bug is a flaw within this set-up; the precise details of the vulnerability are for now being held back, because there’s no patch thus far.
A Google spokesperson told Wired that it’s “examining the issue closely.”
It’s possible that the flaw affects far more than just the Chrome browser. The researchers said that the underlying issue probably goes back to Google’s Widevine content protection and DRM technology, contained in the open source Chromium project. Chromium in turn forms the basis for not only Chrome, but also the Opera and Mozilla Firefox browsers, and various OS for TVs, set-top boxes, gaming consoles and more.
The researchers haven’t looked at the other systems that use Widevine though.
Fixing the issue is not that easy; Chromium, being open-source, has been taken and altered by various OEM—echoing the fragmentation problem that Google’s Android mobile OS has.
“Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths,” the spokesman said.
Photo © Evan Lorne/Shutterstock.com