Security researchers David Livshits from the Cyber Security Research Center at Ben-Gurion University and Alexandra Mikityuk of Telekom Innovation Laboratories have uncovered a flaw in Google’s Chrome web browser that could allow users to save illegal copies of movies streamed from services like Netflix and Amazon’s Prime Video.
The vulnerability exists in how Google implements the Widevine EME/CDM technology used by Chrome to stream encrypted video.
As Wired explains, the problem relates to the implementation of a digital management system called Widevine which uses encrypted media extensions to allow the content decryption module in your browser to communicate with the content protection systems used by companies like Netflix to deliver encrypted movies to its customers.
EME is responsible for handling the key or license exchange between the protection systems of content providers and the CDM component of your browser. When users select a movie to play, the CDM requests a license from the provider through the EME interface. When it receives the license, the CDM is able to decrypt the video and send it to your web browser player to stream the decrypted content.
A quality DRM system, Wired continues, should protect the decrypted data and only let you stream the content in your browser. Google’s system, however, lets you copy it as it streams. This allows those with the right knowledge, like Livshits and Mikityuk, to hijack the decrypted movie as the CDM decrypts it and sends it over to the player for streaming.
To demonstrate the flaw which was first discovered about eight months ago, the duo created a proof-of-concept executable file that’s shown in the embedded video above.
The two say they notified Google of the flaw on May 24 but the search giant has yet to issue a patch. They’ll wait at least 90 days before revealing to the public exactly how the flaw works as they don’t want people stealing movies. The good news, they note, is that it should easily be fixable via software update but that doesn’t really solve the underlying problem.
A spokesperson for Google told Wired that the issue isn’t exclusive to Chrome and could apply to any browser created from Chromium, the open-source code in which Chrome was built on. What that means is that, even if Google patches Chrome, other browser makers could eliminate the code which would leave streaming content once again vulnerable.