Chrome flaw makes it possible to copy DRM video streams such as Netflix
Security researchers from Ben-Gurion University Cyber Security Research Center (CSRC) have unearthed a vulnerability in Google Chrome that can be exploited to make copies of DRM-protected video streams. The problem affects all Chromium-based browsers, and makes it possible to circumvent Widevine encryption technology Google uses to secure streams.
Widevine has been used in Chrome for a while, after Google acquired it back in 2010. It has been used to prevent piracy of premium YouTube channels, and is also used to protect Amazon Prime and Netflix streams. Google was informed about the problem back in May, but is yet to issue a patch.
Researchers David Livshits and Alexandra Mikityuk say the flaw means that it is relatively easy to save copies of streamed videos, Wired reports. Widevine's encrypted media extensions are used to decrypt protected streams ready for playback, and the exploit takes advantage of the fact that the system fails to perform proper checks to ensure that the decrypted stream is only playing in the web browser. It is possible to intercept the video as it is passed from the CDM (Content Decryption Module) to Chrome's media player, and make a copy.
The researchers who discovered the problem have released a video that shows the exploit in action:
Full details of how the exploit works have not -- for obvious reasons -- been released, but it is described as being a simple bug. Google has not only failed to produce a patch, but does not seem in any rush to do so. In an email to Wired, a spokesperson said:
Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths.
The Widevine CDM is also used by Firefox and Opera, but these browsers have not been probed to see if they are similarly vulnerable.