Google Chrome glitch lets users illegally download movies from Netflix and Amazon Prime

Earlier this year, Netflix CEO Reed Hastings said that the popular streaming service would "keep an open mind" on the possibility of introducing a feature that allows users to download content and view it offline. Two security researchers have found a glitch in Google's Chrome browser that already allows users to illegally download content from streaming services such as Netflix and Amazon Prime.

According to a Wired report, the vulnerability lies in Chrome's digital rights management (DRM) system, Widevine - a system that is supposed to protect the copyrights of data against illegal distribution by only allowing users to stream content within their browser.

To securely stream video from services such as Netflix and Amazon Prime, Widevine uses a combination of encrypted media extensions (EME) and a content decryption module (CDM).

When a person selects a movie to watch, Chrome's CDM first passes a licence request to the streaming site and is sent back a licence that allows the browser to decrypt the video and stream the copyrighted content in a user's browser player.

The bug, however, takes advantage of the fact that Widevine does not check whether the decrypted content is the only video playing in Chrome.

Researchers David Livshits from the Cyber Security Research Centre at Ben-Gurion University and Alexandra Mikityuk from Telekom Innovation Laboratories found that malicious hackers and pirates using the right software can actually capture the movie stream as it passes through the browser's media player after it is decrypted and essentially download the movie for themselves.

The researchers created a proof-of-concept that has been successfully tested and a short video to demonstrate how the reportedly simple bug allows for easy video piracy.

"The simplicity of stealing protected content with our approach poses a serious risk for Hollywood, which relies on such technologies to protect their assets," Livshits said in a statement.

Although the researchers say they privately informed Google about the bug on 24 May, a patch has not been rolled out yet. They added that they will give the tech giant 90 days to squash the bug before they reveal details about the vulnerability to the public.

Google, however, admitted to Wired that it has been aware of the issue for some time now. However, the company says the root of the problem lies in Chromium - the open-source code upon which Google Chrome is based. Although they could deploy a fix for the glitch, the company says its browser's open-source system would still allow any user to easily create their own version of the software that still includes the bug or create some other modification that allows them to continue to illegally download movies.

"We appreciate the researchers' report and we're examining it closely," Google said in a statement, Gizmodo reports. "Chrome has long been an open-source project and developers have been able to create their own versions of the browser that, for example, may use a different CDM or include modified CDM rendering paths. The Chrome browser, however, is required to protect compressed videos and does so."

The security researchers argue that Google should still roll a patch for the issue, regardless of whether users can develop their own versions of the browser or not.

According to the Motion Picture Association of America, major US studios lost an estimated lost a whopping $6.1bn in 2005.

Currently deployed in over two billion devices across the globe, other browsers including Firefox and Opera also use Widevine's DRM system as well. Safari and Internet Explorer, on the other hand, rely on different technologies such as Apple's FairPlay CDM and Microsoft's PlayReady CDM respectively.

"We hope that disclosure of this vulnerability will urge other DRM vendors to re-evaluate the security of their products and provide additional layers of defense," said Dr Rami Puzis, a lecturer and researcher at BGU's CSRC.