Two security researchers have uncovered a bug in Chrome that allows video downloads from streaming services like Netflix and Amazon Prime (via Wired). Details of the vulnerability are not yet publicly available with the researchers giving Google 90 days to fix the issue.
The issue lies in Chrome’s implementation of the digital management system used to communicate with streaming services. When users select something they want to watch, Widevine sends and receives a licence request to decrypt the video and send it to the browser to stream.
However, Google’s system allows third-parties to copy the stream as it is being sent to the browser to play. A good DRM system would only allow content to stream directly to the browser.
Widevine was purchased by Google in 2010 to secure streams and the vulnerability has existed since it was added to Chrome. Safari and Internet Explorer use their own DRM systems, but Firefox and Opera also rely on Widevine. The researchers have only examined desktop Chrome for the issue.
Following Google’s internal disclosure policies to third-party vendors, researchers David Livshits and Alexandra Mikityuk are giving Google 90 days to remedy the issue before publishing details. The pair say the bug is very simple and can be fixed with a Chrome patch. However, they note Google would have to redesign Widevine to ensure streams cannot be hijacked in the future.
A Google spokesperson said that the issue is being examined.