Chrome bug aids in pirating Netflix, Amazon videos

DRM, or Digital Rights Management (some call it Digital Restrictions Management), is a class of technologies and software aimed to protect copyrighted material from unauthorized access, a.k.a. piracy. But what if that DRM itself is guilty of helping pirates do exactly that? That is somewhat the position Google is finding itself in when the DRM technology it uses in its Chrome browser has been found to have a bug that actually makes it easier to lift encrypted videos streamed from the likes of Netflix or Amazon Prime and spread them around illegally.

The technology in question is called Widevine EME/CDM, which Google purchased back in 2010 in its effort to support encrypted, premium content in YouTube as well as Chrome. In a nutshell, what Widevine does is talk with remote server, like Netflix's, to request for a license to decrypt content streaming from said servers. While that's similar to what most DRM technologies do, what happens afterwards is where Widevine fails.

According to security researches David Livshits of Ben-Gurion University in Israel and Alexandra Mikityuk of Berlin's Telekom Innovatio Laboratories, Widevine decrypts and then stores a copy of the decrypted (in other words, unprotected) video somewhere a hacker or pirate can copy it, before the video actually reaches the browser for playing. As the file is unencrypted, pirates won't need to do the work of cracking its code to have access to the content. Widevine does the heavy lifting or it.

The researchers reported the exploit to Google last May 24th and is waiting for Google's own 90-day policy to lapse before it publishes details of the bug. This is to give Google the time to patch the bug before it becomes public and before knowledge falls into the hands of less than savory people. Strangely enough, Google doesn't seem to be in a rush.

In fact, the browser maker was somewhat downplaying the bug report, saying that even if it were to fix the bug in Chrome, its open source code base, Chromium, would still remain open to the vulnerability. It is a rather odd stance to take considering Google both owns and distributes Chrome as well as Widevine, so it is in the position to fix both. The researchers suggest that a proper fix to Widevine would be to make sure that it only run in a trusted environment out of reach of hackers and pirates.

VIA: WIRED