Piracy has long been a problem on the internet. Torrents, warez, and other related sites have been available for a long time to host bootleg content, and the rightful owner of these contents have never been happy about it. To combat this issue, the Digital Rights Management system was created. However, as technology evolves, pirates have also found a way around it.
With these things in consideration, two security researchers recently discovered an exploit in the way Google Chrome streams media, which could possibly make piracy a lot easier. David Livshits from Cyber Security Research Center at Ben-Gurion University in Israel and Alexandra Mikityuk with Telekom Innovation Laboratories in Berlin, Germany claims that people could exploit the vulnerability to save illegal copies of movies they stream using sites like Netflix or Amazon Prime.
The problem lies within the Widevine EME/CDM technology that Google Chrome utilizes to stream encrypted videos. The system uses Encrypted Media Extensions (EME) to allow the Content Decryption Module (CDM) of the browser to communicate with the protection systems of Netflix and similar streaming websites. This step will then make the user able to see the encrypted video.
Normally, this Digital Rights Management system should only let you see the video in your browser, as it is encrypted by the service. However, after the CDM decrypts the movie and sends it over to the web player, Google's system lets users access and copy the decrypted movie, as shown in the video above. This discovered loophole makes it possible to pirate any movie you can ever think of.
Livshits and Mikityuk believe that the problem could easily be sorted out through a Chrome patch. Furthermore, a Google spokesman acknowledged the vulnerability, but stated that the problem is not exclusive to Chrome, but to other browsers built under Chromium as well. "Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths," said the spokesman in an interview with WIRED.
The researchers, however, were not happy with Google's answer, stating that though the problem can also be replicated on other browsers, it should not stop the company from patching the problem in their own software.
Livshits and Mikityuk are still mum about other details of the exploits for at least 90 days, the minimum time Google's security researchers in its Project Zero program time to fix any vulnerabilities before they disclose the issues to the public.