Unpatched Chrome Bug Allows You to Illegally Download Movies from Netflix
If you believe there's nothing wrong with piracy, this might be a great news for you. Security researchers have discovered a vulnerability in Google Chrome that could be exploited to save "illegal copies" of movies you stream on the browser. Netflix, Amazon Prime? Stream and download.
Chrome makes it really easy to pirate movies
David Livshits of the Cyber Security Research Center at Ben-Gurion University, Israel and Alexandra Mikityuk of Telekom Innovation Laboratories in Berlin, Germany have discovered a bug in Chrome that allows users to download video from streaming services like Amazon Prime and Netflix. While the details of this "very simple" vulnerability aren't available publicly - much to the dismay of pirates - Google is given 90 days by the experts to fix the issue.
The vulnerability lies in Chrome's implementation of the digital management system (Widevine EME/CDM technology) that is used to communicate with streaming services like Netflix and others to stream encrypted video. When users request to stream a video, Widevine sends and receives a license request to decrypt the video which is then sent to the browser to stream. DRM system is supposed to allow content to stream directly to the browser. However, researchers uncovered that Google's system was allowing third parties to copy the stream as it was being sent to the browser. "The point at which you can hijack the decrypted movie is right after the CDM decrypts the film and is passing it to the player for streaming," researchers told Wired.
Google didn't create this technology, but it does own it. The tech giant acquired Widewine in 2010 to secure streams and the flaw has existed in the system since then. Firefox and Opera also use the same technology, while Safari and Internet Explorer have their own DRM systems.
Security researchers have shared a proof-of-concept video demonstrating the vulnerability. They informed Google about this flaw on May 24, which means Google gets 90 days to patch the exploit before researchers disclose the details publicly.