Bad news for Google, good news for pirates: a pair of security researchers have found a flaw in the way the Chrome browser unpacks encrypted video. It’s all rather technical, but the upshot is that pirates have an easy way to save DRM-ed video streams to their desktop.
Wired first reported on the vulnerability, which was discovered by researchers David Livshits from the Cyber Security Research Center at Ben-Gurion University and Alexandra Mikityuk of Telekom Innovation Laboratories.
According to Wired, this is how the exploit works:
“The problem is with the implementation of a digital management system called Widevine, which Google owns but did not create. It uses encrypted media extensions to allow the content decryption module in your browser to communicate with the content protection systems of Netflix and other streaming services to deliver their encrypted movies to you. EME handles the key or license exchange between the protection systems of content providers and a CDM component in your browser. When you choose a protected movie to play, the CDM sends a license request to the provider through the EME interface and receives a license in return, which allows the CDM to decrypt the video and send it to your browser player to stream the decrypted content.
A good DRM system should protect that decrypted data and only let you stream the content in your browser, but Google’s system lets you copy it as it streams. The point at which you can hijack the decrypted movie is right after the CDM decrypts the film and is passing it to the player for streaming.”
It’s a sort of man-in-the-middle attack for digital streaming, and it looks very effective. The researchers created a video to demonstrate their proof-of-concept, rather than releasing the code publicly.
The bug was disclosed to Google on May 24th, but there’s still no fix. Google doesn’t seem to think that the exploit is a particularly big deal — a Google spokesperson told Wired that “they’re examining the issue closely, but he also downplayed the bug, saying the problem is not exclusive to Chrome and could apply to any browser created from Chromium, the open-source code from which Chrome is derived.”
This is much like an auto manufacturer saying “it doesn’t matter that our car spontaneously combusts, because so do other cars based on the same platform.”
Google has since said that it’s “examining [the report] closely.” Whether that means there’s a fix in the works, or if pirates have a free pass, still remains to be seen.