Pierluigi Paganini June 28, 2016

A Google Widevine DRM flaw in the Chrome browser can be exploited to easily download videos streamed from websites such as Amazon Prime Video and Netflix.

The flaw was discovered by researchers from the Ben-Gurion University of the Negev in Israel and the Telekom Innovation Laboratories in Germany. According to the experts, the issue exists in the Google’s implementation of the Widevine digital rights management (DRM) solution.

The Google Widevine DRM allows users to distribute and protect the content delivered over the Web, Widevine is available on over 2 billion devices including desktop and mobile platforms.

The vulnerability affects the Widevine DRM’s encrypted media extensions (EME) and content decryption module (CDM) components.

The EME module provides an API that enables the users’ browser to communicate with the DRM meanwhile the CDM component allows DRM-wrapped content to be played in the ordinary browser.

“A security vulnerability in Google technology that is supposed to protect videos streamed via Google Chrome has been discovered by researchers fromBGU’s Cyber Security Research Center (CSRC) in collaboration with a security researcher from Telekom Innovation Laboratories in Berlin, Germany.” states a blog post on the vulnerability affecting Google Widevine DRM.

“The BGU Google Vulnerability Video demonstration video shows how easily content can be stolen from a protected video. Piracy costs studios $6.1 billion annually, according to the Motion Picture Association of America.”

An attacker can exploit the flaw to copy a video as it is being streamed via Chrome, the experts have developed a proof-of-concept (PoC) that will be published only after Google will fix the flaw.

Below a video PoC published by the team that shows an attacker saving a decrypted version of streamed content protected by the Widevine DRM.

The experts successfully tested the proof-of-concept on different recent versions of Google Chrome bypassing Google Widevine DRM that was used to protect Netflix streaming services as well as Amazon TV.

“The simplicity of stealing protected content with our approach poses a serious risk for Hollywood, which relies on such technologies to protect their assets,” says David Livshits, the expert who developed the PoC. 

“The attack proof-of-concept can be bundled in an executable file and can be installed on any computer with Google Chrome to achieve its goals. The proof-of-concept as well as the vulnerability details have been reported to Google’s security team, and the researchers are assisting in the process to plug the vulnerability and make sure the problem is solved as soon as possible. “

Google confirmed that the vulnerability could affect any browser based on the open-source Chromium project. Fortunately, according to the researchers Livshits and Mikityuk, the issue can be easily fixed. They also suggest designing the CDM so that it runs inside what’s called a Trusted Execution Environment (TEE) that would prevent someone from hijacking the content.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Google Widevine DRM, piracy)