Two cyber security experts found a hole in Google’s Chrome web browser’s DRM protection that could get exploited by hackers and movie pirates. Researchers claim that users exploiting the Chrome bug could make free copies of NetFlix and Amazon Prime movies without the need of specialized software.
Researchers David Livshits of the Israel-based Ben-Gurion University and Alexandra Mikityuk from Germany-based Telekom Innovation Laboratories have submitted the issue to Google but the company so far failed to repair the bug.
The team explained that the bug affects the way the web browser accesses Widevine EME/CDM DRM system when streaming online video content. Widevine manages the key and license exchange between the browser and the video streaming sites.
Chrome handles Widevine DRM protections in a way that does more than allowing users to watch content in their browser player. It also allows users to download content free of charge.
Movie pirates can try and download movies at the moment when Chrome has already received license permission and it’s decrypting and passing the content to the player for streaming.
The two experts claim that the bug is fairly easy to exploit but they declined to provide more details before Google fixes it. They don’t want more movie pirates to learn how to steal licensed films.
The research team believes that a quick fix could be done through a patch. And they also recommend Google developers to instruct Chrome’s CDM to run through a Trusted Execution Environment to prevent more bugs from appearing.
Google said that the bug is not affecting only Chrome. It impacts any Chromium-based web browser to date. The company added that because Chrome is open-source there are many versions out there that run CDM differently.
In other words, even if Google issues a patch, the bug can still be exploited through other web browsers built on Chromium. What’s more, apparently Google has been long aware of the issue but kept it secret.
Livshits and his fellow researcher were surprised by Google’s answer. They strongly believe that the web search giant should at least try and fix the problem in its browser even though that may not stop movie pirates from exploiting the bug through other means.
Reportedly, the two researchers spotted the bug in November, but the problem has persisted ever since Google paired its browser with the Widevine system.
Image Source: Vimeo