For the past decade, Hollywood’s battle against online pirates has been mainly been focused on leaked DVD screeners and illegal streaming sites. Now a pair of security researchers say they’ve discovered a vulnerability in the Google Chrome browser that allows people to save illegal copies of movies from streaming sites like Netflix and Amazon Prime.
The vulnerability, first reported by Wired, takes advantage of the Widevine EME/CDM technology that Chrome uses to stream encrypted video from content providers. Researchers David Livshits from the Cyber Security Research Center at Ben-Gurion University and Alexandra Mikityuk of Telekom Innovation Laboratories discovered a way to hijack streaming video from the decryption module in the Chrome browser after content has been sent from services like Netflix or Amazon Prime.
The researchers created a proof-of-concept (which is currently the only evidence of the exploit) to show how easily they could illegally download streaming video once CDM technology has decrypted it.
Livshits and Mikityuk privately disclosed the bug to Google on May 24, and surprisingly, the issue still hasn’t been patched yet. The researchers say the bug is relatively simple, and they’re waiting at least 90 days after the disclosure to Google before they reveal details to the public. This is the same amount of time Google’s Project Zero security analyst team gives vendors to fix vulnerabilities they discover.
Wired points out that major issue facing Google as it deals with this exploit is that Chromium, the open-source code that the Chrome browser is based off, would still allow malicious hackers to take advantage of the vulnerability. Even if Google were to patch the bug, other capable developers could theoretically create a new browser using the open-source Chromium code and override (or ignore) the patch. Still, both Livshits and Mikityuk believe Google should patch its official product, the Chrome browser.
Widevine is currently used in more than 2 billion devices worldwide and is the same digital rights management technology used in Firefox and Opera browsers. Safari and Internet Explorer, however, use different DRM technology. Whether Google ever patches the exploit remains to be seen, but if history has taught us anything, it’s unlikely that this will be the last time Hollywood has to fend off digital pirates.
Update 2:35 p.m.: Google has released the following statement:
“We appreciate the researchers’ report and we’re examining it closely. Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths. The Chrome browser, however, is required to protect compressed video and does so.”