Chrome bug gives pirates a way to steal streaming movies

Chrome piracy

Security researchers have discovered a bug in Google Chrome that gives pirates a way to copy paid-for movies streamed from sites like Netflix and Amazon Video.

Movie streaming services rely on DRM (Digital Rights Management) technology to keep a lid on piracy by controlling how and where the TV and movies they distribute can be played.

Users are supposed to have the option to view the content as the vendor intended, or not at all.

According to Wired, users of Google Chrome have another option altogether though – protected content that’s streamed to the popular browser can be intercepted and copied as the bits and bytes flow between the browser’s CDM (Content Decryption Module) and media player.

When you want to play a DRM-protected movie, Chrome’s CDM asks the content provider for a license and then uses that license to decrypt the movie. The decrypted content is then sent to the browser’s media player where it’s turned into something you can actually watch.

The bug was apparently discovered about eight months ago by researchers David Livshits and Alexandra Mikityuk who reported it to Google on 24 May 2016.

Livshits and Mikityuk are keeping the precise details of the vulnerability under wraps for 90 days (a limit in line with the disclosure policy of Google’s own Project Zero.) The clock is ticking and there’s no patch yet but a spokesperson for the Mountain View search giant told Wired that it’s “examining the issue closely”.

Chrome uses DRM technology produced by a company Google acquired in 2010 called Widevine and the researchers suspect that the bug has existed for as long as the DRM technology has been part of the browser.

It’s possible that other browsers, even TVs and other devices, are vulnerable too.

Google Chrome is a packaged and lightly modified version of the open source Chromium project which also contains the vulnerable Widevine code. Chromium forms the basis of a number of other browsers, most notably Opera.

Widevine DRM technology has also been included in Firefox since 7 June and, according to the Widevine website, its DRM technology is deployed in over two billion devices such as TVs, set-top boxes and games consoles.

The researchers have so far restricted their investigations to Chrome and haven’t examined any other systems that use Widevine.

To demonstrate the flaw the researchers have written proof-of-concept code and produced a somewhat terse video of their software copying a streaming movie.