A worrying flaw uncovered in Google Chrome makes it even easier for pirates to download movies and TV shows from the web. Google was made aware of the issue a month ago, but the company is yet to release an update that fixes it.
As studios find new ways to protect their content from pirates with DRM, the pirates find new ways to get around it. It gets more difficult as the DRM gets better, but there’s often a flaw somewhere that makes them breakable.
Two security researchers, David Livshits from the Cyber Security Research Center at Ben-Gurion University in Israel and Alexandra Mikityuk with Telekom Innovation Laboratories in Berlin, Germany, have found one in Google Chrome.
The problem stems from the way in which Chrome uses the Widevine EME/CDM technology, which Google owns but did not create, to access and play encrypted video from online streaming services.
“It uses encrypted media extensions to allow the content decryption module in your browser to communicate with the content protection systems of Netflix and other streaming services to deliver their encrypted movies to you,” explains Wired.
“EME handles the key or license exchange between the protection systems of content providers and a CDM component in your browser… the CDM sends a license request to the provider through the EME interface and receives a license in return.”
Once it has that license, the CDM can then decrypt the video and send it to Chrome for you to enjoy. The DRM is designed to protect this decrypted data and ensure it stays within your browser — but Chrome’s flaw breaks it.
Livshits and Mikityuk were able to find a way to grab the video right after the CDM decrypts it and starts sending it to Chrome. The video below demonstrates this using a proof-of-concept they created.
The researchers notified Google of this flaw on May 24, but the company is yet to fix it. They say the exploit is simple — and so is the fix — but they won’t reveal how they used it until Google has had at least 90 days to release a patch.
Google told Wired that it is examining the problem, but apparently played “downplayed” it. The company also said that the issue isn’t exclusive to Chrome, and would apply to any web browser that was derived from Chromium.
It’s unclear if the flaw is present in third-party browsers. Firefox and Opera also use Widevine, but the researchers haven’t examined those yet. Apple’s and Microsoft’s browsers, which use propriety technologies, haven’t been tested, either.